HP Intelligent Management Center Network Traffic Analyzer Administrator Guide

v7.
0 HP Intelligent Management Center

Network Traffic Analyzer Administrator
Guide
HP Part Number: 5998-4733

Published: September 2013
Volume: 7.0 (E0101)
Edition: 1.0
Copyright 2013 Hewlett-Packard Development Company, L.P.

Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial
Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under
vendor's standard commercial license.
No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard
Development Company, L.P.
The information contained herein is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors
contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.
The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing
herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained
herein.
Acknowledgments
Microsoft, Windows, and Windows XP are U.S. registered trademarks of Microsoft Corporation.
Adobe and Acrobat are trademarks of Adobe Systems Incorporated.
Contents
1 Introduction to Network Traffic Analyzer......................................................14
NTA data source overview.......................................................................................................14
NTA and network flow record collection overview.......................................................................16
NTA and network flow record processing overview.....................................................................17
NTA server configuration....................................................................................................18
Traffic analysis task management.........................................................................................18
Application, protocol, and application category management.................................................19
Filtering strategies..............................................................................................................19
NTA parameter settings......................................................................................................20
Network behavior anomaly detection........................................................................................20
NTA widgets..........................................................................................................................22
Analyzing the network traffic between virtual machines...............................................................22
2 Configuring NTA for traffic analysis and auditing.........................................24

Managing NTA data sources...................................................................................................24
Device management...........................................................................................................24
Viewing the NTA device list............................................................................................25
Viewing the NTA device details page..............................................................................26
Adding an NTA data source device.................................................................................27
Modifying an NTA data source device.............................................................................29
Deleting an NTA data source device................................................................................31
Probe management............................................................................................................31
Viewing the probe list....................................................................................................31
Viewing the NTA probe details page...............................................................................32
Adding a probe............................................................................................................32
Modifying a probe........................................................................................................33
Deleting a probe...........................................................................................................33
Managing NTA servers...........................................................................................................34
Viewing the NTA server list..................................................................................................34
Viewing the NTA server details page....................................................................................35
Modifying an NTA server configuration................................................................................36
Re-deploying the NTA server configuration............................................................................37
Capturing an NTA server flux log.........................................................................................38
Managing applications in NTA................................................................................................38
Managing applications......................................................................................................39
Viewing the application list.............................................................................................39
Querying the application list...........................................................................................40
Adding an application...................................................................................................41
Modifying an application...............................................................................................43
Batch importing applications..........................................................................................44
Deleting an application..................................................................................................45
Introduce regular expression in NTA................................................................................45
Managing protocols...........................................................................................................47
Viewing the protocol list.................................................................................................47
Querying the protocol list...............................................................................................48
Adding a protocol.........................................................................................................49
Modifying a protocol.....................................................................................................49
Batch importing protocols...............................................................................................50
Deleting a protocol........................................................................................................51
Managing application categories........................................................................................51
Viewing the application category list....................................................................................51
Querying the application category list..................................................................................52
Contents
Adding an application category..........................................................................................53

Modifying an application category......................................................................................54
Deleting an application category.........................................................................................56
Configuring NTA traffic analysis parameters...............................................................................56
Basic and advanced settings...............................................................................................56
Using NTA filtering strategies...................................................................................................59
Viewing the filter list...........................................................................................................60
Viewing the filter condition list.............................................................................................60
Adding a filter strategy.......................................................................................................61
Modifying a filter strategy...................................................................................................63
Deleting a filter strategy......................................................................................................65
Database space management..................................................................................................66
Viewing database current usage statistics..............................................................................66
Viewing database usage trend statistics................................................................................66
Data export...........................................................................................................................67
Viewing the data export config list.......................................................................................67
Querying the data export logs.............................................................................................68
Modifying the data export configuration...............................................................................68
Auditing the exported data.................................................................................................69
Anomaly detection management...............................................................................................69
Viewing the anomaly detection list.......................................................................................70
Modifying an anomaly template that uses the common parameters...........................................70
Modifying an anomaly template that uses anomaly type-specific parameters..............................71
DNS Rogue Hack..........................................................................................................71
Ping of Death Attack......................................................................................................71
Large ICMP Packet........................................................................................................71
DHCP Offer Packet........................................................................................................71
3 Host session monitoring.............................................................................73

Host session monitoring overview..............................................................................................73
Host session monitoring reporting........................................................................................73
Host session monitoring configuration considerations..............................................................73
Managing host session monitoring............................................................................................73
Setting threshold alarm parameters for host sessions...............................................................73
Viewing host session monitor reports.........................................................................................74
Navigating to the host session monitor reports.......................................................................74
Summary reports for host sessions........................................................................................75
TopN Sessions of All Servers (Last 1 Hour)........................................................................75
TopN Sessions of Selected Servers (Last 1 Hour)................................................................76
Detailed reports for host sessions.........................................................................................76
Individual NTA server host sessions report........................................................................77
Query Sessions........................................................................................................77
TopN Sessions List....................................................................................................78
Device host sessions report.............................................................................................78
Query Sessions........................................................................................................78
TopN Sessions List....................................................................................................79
Host session details report..............................................................................................80
Session Trend...........................................................................................................80
Session Details.........................................................................................................80
4 Interface monitoring..................................................................................82
Interface traffic analysis overview..............................................................................................82
Interface traffic analysis reporting overview...........................................................................82
Interface traffic analysis configuration considerations..............................................................83
Managing interface traffic analysis Tasks...................................................................................84
Viewing a traffic analysis task..............................................................................................84
4
Contents
Viewing interface traffic analysis task details..........................................................................85

Adding an interface traffic analysis task................................................................................86
Modifying an interface traffic analysis task............................................................................89
Deleting an interface traffic analysis task...............................................................................92
Adding an interface traffic analysis task by using the detection function....................................93
Viewing the detected interfaces.......................................................................................93
Adding a new traffic analysis task for interfaces................................................................93
Adding interfaces to an existing traffic analysis task...........................................................93
Viewing interface traffic analysis reports....................................................................................94
Navigating to the interface traffic analysis reports..................................................................94
Summary reports for all interface tasks..................................................................................94
Average rate (last 1 hour)...............................................................................................94
Traffic trend and TopN application for selected task (last 1 hour).........................................95
Summary list (last 1 hour)...............................................................................................96
Detailed reports for an interface traffic analysis task...............................................................97
Traffic reports...............................................................................................................97
Query traffic............................................................................................................98
Traffic trend average..............................................................................................99
Traffic trend peak rate..........................................................................................100
TopN traffic list for ToS/MPLS Exp............................................................................101
TopN VLAN traffic list.............................................................................................101
Flux distribute in interface........................................................................................102
Interface flux trend..................................................................................................102
Traffic details.........................................................................................................103
Application reports......................................................................................................103
Query applications.................................................................................................104
Application list.......................................................................................................105
Application traffic trend...........................................................................................106
Individual application reports........................................................................................106
TopN application usage list.....................................................................................107
TopN traffic report for unknown TCP/UDP application by port......................................108
TopN traffic list for unknown TCP/UDP application by port..........................................108
Traffic trend report for unknown TCP/UDP applications by port.....................................109
TopN traffic details list for unknown TCP/UDP applications by port...............................109
Protocol reports...........................................................................................................110
Query protocols.....................................................................................................110
Protocol list............................................................................................................111
Protocol traffic trend................................................................................................112
Individual protocol reports............................................................................................112
TopN protocol usage list..........................................................................................113
Application category reports........................................................................................114
Query application categories...................................................................................114
Application category list..........................................................................................115
Application category traffic trend..............................................................................115
Individual application category reports..........................................................................116
TopN application category usage list........................................................................116
Source reports............................................................................................................117
Query sources.......................................................................................................118
TopN traffic report for source host.............................................................................119
TopN traffic list for source host.................................................................................119
Traffic trend report for source host.............................................................................120
Traffic details.........................................................................................................120
Contents
Destination reports......................................................................................................121
Query destinations.................................................................................................121
TopN traffic report for destination host.......................................................................122
TopN traffic list for destination host...........................................................................123
Traffic trend report for destination host.......................................................................123
Traffic details.........................................................................................................124
Session reports...........................................................................................................124
Query sessions.......................................................................................................125
TopN traffic report for session host............................................................................126
TopN traffic list for session host................................................................................126
Session host traffic trend report.................................................................................127
TopN applications for session host............................................................................127
5 VLAN monitoring...................................................................................128
VLAN traffic analysis overview...............................................................................................128
VLAN traffic analysis reporting overview.............................................................................128
VLAN traffic analysis configuration considerations................................................................129
Managing VLAN traffic analysis tasks.....................................................................................130
Viewing VLAN traffic analysis tasks....................................................................................130
Viewing VLAN traffic analysis task details...........................................................................131
Adding a VLAN traffic analysis task...................................................................................131
Modifying a VLAN traffic analysis task...............................................................................133
Deleting a VLAN traffic analysis task..................................................................................134
Viewing VLAN traffic analysis reports......................................................................................134
Navigating to VLAN traffic analysis reports.........................................................................134
Summary reports for all VLAN traffic analysis tasks...............................................................135
Average rate (last 1 hour).............................................................................................135
Traffic trend and TopN application for selected task (last 1 hour).......................................135
Summary list (last 1 hour).............................................................................................136
Detailed reports for a VLAN traffic analysis task...................................................................137
Traffic reports.............................................................................................................137
Query traffic..........................................................................................................137
Traffic trend...........................................................................................................138
VLAN traffic distribution..........................................................................................139
VLAN traffic trend...................................................................................................139
Traffic details.........................................................................................................140
Application traffic trend for an individual application..................................................143
TopN application usage list for an individual application.............................................144
TopN traffic report for unknown TCP/UDP application by port......................................144
TopN traffic list for unknown TCP/UDP application by port..........................................145
TopN traffic report for unknown TCP/UDP application by source..................................146
TopN traffic list for unknown TCP/UDP application by source.......................................147
Traffic trend report for unknown TCP/UDP applications by source.................................147
TopN traffic details list for unknown TCP/UDP applications by source............................148
TopN traffic report for unknown TCP/UDP application by destination............................148
TopN traffic list for unknown TCP/UDP application by destination.................................149
TopN traffic list for unknown TCP/UDP application by destination.................................149
TopN traffic details list for unknown TCP/UDP applications by destination......................149
Protocol Reports..........................................................................................................150
6
Contents
Query protocols.....................................................................................................150
Protocol list............................................................................................................151
Protocol traffic trend for an individual protocol............................................................152
TopN protocol usage list for an individual protocol.....................................................152
Application category traffic trend for an individual application category........................155
TopN application category usage list for an individual application category..................156
Source reports............................................................................................................156
Query sources.......................................................................................................157
Traffic details for source host....................................................................................159
Traffic details for destination host..............................................................................162
Session reports...........................................................................................................163
Query sessions.......................................................................................................163
6 Probe monitoring....................................................................................166
Probe traffic monitoring overview............................................................................................166
Probe traffic analysis reporting overview.............................................................................166
Probe traffic analysis configuration considerations................................................................167
Managing probe traffic analysis tasks.....................................................................................167
Viewing a traffic analysis task............................................................................................167
Viewing probe traffic analysis task details...........................................................................168
Adding a probe traffic analysis task...................................................................................169
Modifying a probe traffic analysis task...............................................................................170
Deleting a probe traffic analysis task..................................................................................171
Viewing probe traffic analysis reports......................................................................................171
Navigating to the probe traffic analysis reports....................................................................172
Summary reports for all probe tasks...................................................................................172
Detailed reports for a probe traffic analysis task...................................................................173
Traffic reports.............................................................................................................174
Query traffic..........................................................................................................174
Traffic trend - average.............................................................................................175
Traffic trend - peak rate...........................................................................................175
Traffic details.........................................................................................................176
Contents

TopN traffic report for unknown TCP/UDP applications by port.....................................180
TopN traffic list for unknown TCP/UDP applications by port.........................................181
TopN traffic list for unknown TCP/UDP applications by source host...............................181
TopN traffic list for unknown TCP/UDP applications by destination host.........................181
TopN traffic details for unknown TCP/UDP applications by port....................................182
Query protocols.....................................................................................................183
Protocol list............................................................................................................184
Source reports............................................................................................................190
Query sources.......................................................................................................190
Traffic details.........................................................................................................193
Traffic details.........................................................................................................196
Session reports...........................................................................................................197
Query sessions.......................................................................................................197
7 Application monitoring............................................................................201
Application traffic analysis overview........................................................................................201
Application traffic analysis reporting overview.....................................................................201
Application traffic analysis configuration considerations........................................................202
Managing application traffic analysis tasks..............................................................................203
Viewing application traffic analysis task details....................................................................203
Adding an application traffic analysis task..........................................................................204
Modifying an application traffic analysis task......................................................................207
Deleting an application traffic analysis task.........................................................................211
Viewing application traffic analysis reports...............................................................................211
Navigating to the application traffic analysis reports.............................................................211
8
Contents
Summary reports for all application tasks............................................................................212

Traffic trend for selected task (last 1 hour).......................................................................212
Detailed reports for an application traffic analysis task..........................................................213
Traffic reports.............................................................................................................213
Query traffic..........................................................................................................214
Traffic details.........................................................................................................215
Source reports............................................................................................................216
Query source hosts.................................................................................................216
Source host traffic trend report..................................................................................218
TopN destination hosts communicating with the source host.........................................219
Query destination hosts...........................................................................................220
TopN traffic report by destination host.......................................................................221
Destination host traffic trend report............................................................................222
TopN source hosts communicating with the destination host.........................................222
Session reports...........................................................................................................223
Query sessions.......................................................................................................223
Session traffic trend report.......................................................................................225
Session traffic list....................................................................................................226
8 Host monitoring......................................................................................227
Host traffic analysis overview..................................................................................................227
Host traffic analysis reporting overview...............................................................................227
Host traffic analysis configuration considerations..................................................................229
Managing host traffic analysis tasks........................................................................................229
Viewing host traffic analysis task details..............................................................................230
Adding a host traffic analysis task......................................................................................231
Modifying a host traffic analysis task..................................................................................235
Deleting a host traffic analysis task.....................................................................................239
Viewing host traffic analysis reports.........................................................................................239
Navigating to the host traffic analysis reports.......................................................................239
Summary reports for all host tasks......................................................................................240
Detailed reports for a host traffic analysis task.....................................................................242
Traffic reports.............................................................................................................242
Query traffic..........................................................................................................242
Traffic details.........................................................................................................245
Contents

TopN traffic list for unknown TCP/UDP applications by port.........................................250
TopN traffic list for unknown TCP/UDP applications by source host...............................251
TopN traffic list for unknown TCP/UDP applications by destination host.........................251
Query protocols.....................................................................................................253
Protocol list............................................................................................................254
Source reports............................................................................................................261
Query sources.......................................................................................................261
Traffic details.........................................................................................................264
Traffic details.........................................................................................................267
Session reports...........................................................................................................268
Query sessions.......................................................................................................268
9 VPN monitoring.....................................................................................272
VPN traffic analysis overview.................................................................................................272
VPN traffic analysis reporting overview...............................................................................272
VPN traffic analysis configuration considerations..................................................................273
Managing VPN traffic analysis tasks.......................................................................................274
Viewing VPN traffic analysis task details.............................................................................274
Adding a VPN traffic analysis task.....................................................................................275
Modifying a VPN traffic analysis task.................................................................................276
Deleting a VPN traffic analysis task....................................................................................278
Viewing VPN traffic analysis reports........................................................................................278
Navigating to the VPN traffic analysis reports......................................................................278
Summary reports for all VPN tasks.....................................................................................279
10
Contents
VPN flux distribution in interfaces..................................................................................280
Interface flux distribution in VPNs..................................................................................280
Granular reports for a VPN traffic analysis task....................................................................281
Traffic reports.............................................................................................................282
Query traffic..........................................................................................................282
Traffic trend average............................................................................................283
Traffic trend peak rate..........................................................................................284
TopN traffic list for ToS/MPLS exp............................................................................285
Traffic details.........................................................................................................285
Application trend....................................................................................................288
TopN traffic list for unknown TCP/UDP by port...........................................................291
Protocol reports...........................................................................................................293
Query protocols.....................................................................................................293
Protocol list............................................................................................................294
Source reports............................................................................................................300
Query sources.......................................................................................................301
Traffic details for source host....................................................................................303
Traffic details.........................................................................................................307
Session reports...........................................................................................................308
Query sessions.......................................................................................................308
Contents
11
10 Inter-business monitoring........................................................................312
Inter-business traffic analysis overview......................................................................................312
Inter-business traffic analysis reporting overview...................................................................312
Inter-business traffic analysis configuration issues..................................................................313
Managing inter-business traffic analysis tasks...........................................................................313
Viewing details for a traffic analysis task.............................................................................314
Adding an inter-business traffic analysis task........................................................................314
Modifying a traffic analysis task.........................................................................................317
Deleting a traffic analysis task...........................................................................................319
Viewing inter-business traffic analysis reports............................................................................320
Navigating to the inter-business traffic analysis reports..........................................................320
Summary reports for all inter-business traffic analysis tasks.....................................................320
Granular reports for an inter-business traffic analysis task......................................................321
Single Business reports.................................................................................................321
Query traffic..........................................................................................................322
TopN avg. rate......................................................................................................322
Traffic details.........................................................................................................322
Flux Distribution......................................................................................................324
Inter-Business reports....................................................................................................325
Query traffic..........................................................................................................325
TopN Avg. Rate.....................................................................................................325
Traffic details.........................................................................................................326
Traffic Details.........................................................................................................327
Interest reports............................................................................................................328
Query Traffic.........................................................................................................328
TopN Avg. Rate.....................................................................................................329
Traffic details.........................................................................................................329
11 Performing traffic log audits in NTA.........................................................331

Configuring NTA for traffic log auditing...................................................................................331
Adding data sources to NTA.............................................................................................331
Adding a device.........................................................................................................331
Adding a probe..........................................................................................................331
Adding a VPN............................................................................................................332
Selecting the device or probe............................................................................................332
Configuring the aggregation policy....................................................................................333
Creating an interface, probe, or VPN traffic analysis task......................................................333
Adding an interface traffic analysis task.........................................................................333
Adding a probe traffic analysis task...............................................................................333
Adding a VPN traffic analysis task................................................................................334
Performing a traffic log audit..................................................................................................334
Viewing traffic log audit reports..............................................................................................335
Source host reports..........................................................................................................335
Source Host List...........................................................................................................335
Source Host Details list.................................................................................................336
Destination host reports....................................................................................................337
Destination Host List.....................................................................................................338
Destination Host Details list...........................................................................................339
12
Contents
Session reports................................................................................................................340
Session List.................................................................................................................340
12 NTA reports.........................................................................................342
13 NTA widgets........................................................................................343
Display tiling widgets............................................................................................................343
Configuring the display tiling display..................................................................................344
Configuring display tiling widget parameters.......................................................................344
Viewing the display effect.................................................................................................345
Home page widgets.............................................................................................................345
Configuring home page widget parameters.........................................................................346
TopN Application for Interface/VLAN/Probe/Host/VPN NTA Task (Last 1 Hour).................346
Traffic Trend for Interface/VLAN/Application/Probe/Host/VPN NTA Task(Last 1 Hour)........346
Application Traffic for Host NTA Task(Last 1 Hour)...........................................................346
TopN Session List(Last 1 Hour).......................................................................................347
Viewing the display effect.................................................................................................347
14 Analyzing traffic between virtual machines...............................................349

Deploying a probe on a virtual machine..................................................................................350
Setting the network configuration for a virtual machine network adapter......................................351
15 Acronyms and terms..............................................................................355

16 Support and other resources...................................................................356
Contacting HP......................................................................................................................356
Subscription service..............................................................................................................356
Related information...............................................................................................................356
Documents......................................................................................................................356
Websites........................................................................................................................356
Typographic conventions.......................................................................................................356
Document conventions......................................................................................................357
GUI conventions..............................................................................................................357
Symbols..........................................................................................................................357
17 Documentation feedback.......................................................................358
Index.......................................................................................................359
Contents
13
1 Introduction to Network Traffic Analyzer

The NTA service module integrates network layer 4 through 7 monitoring into the IMC network
management platform. NTA uses the instrumentation already available in network devices such
as routers and switches to provide realtime and historical reporting on network application usage.
Administrators tailor NTA data collection and reporting capabilities to meet specific reporting
needs. Administrators and operators view NTA reports directly from the IMC integrated platform.
NTA combines the features of a network flow collector with a data analysis and processing engine
and database, and a reporting facility for presenting network flow data in IMC. Like most network
monitoring systems, NTA enables administrators to define the data received by NTA, determine
what and how the data is analyzed, and decide what data is presented.
NTA enables you to view the network flow data provided by the devices in your network.
Out-of-the-box configuration of NTA provides the potential of network flow data collection, analysis,
and reporting. NTA users must have an understanding of network flow records and the devices in
the environment that generate network flow records. Also, users need to know how to configure
NTA to process the data and present reports.
NTA data source overview

NTA uses network flow data to generate network resource statistics. Several RFCs characterize a
flow.
An IP flow, commonly called a flow, is defined as a set of IP packets passing an observation point
in the network during a specified time interval. All packets that belong to a particular flow have a
set of common properties derived from the data contained in the packet and from the packet
treatment at the observation point (RFC 5101, RFC 3917, and RFC 3954).
An IP network flow contains a stream of IP packets that share, at a minimum, the following
parameters during a specified time period:
Source and destination IP address
Source and destination port
Layer 4 protocol (TCP, UDP, or ICMP)
This general definition does not include technologies, such as TCP, that identify flows for bidirectional
protocols. Vendors can add more parameters to identify network flows more specifically in the
implementations of network flow technologies.
Network device vendors implement network flow technologies in devices such as routers and
switches that forward packets from source to destination. Devices that generate network flow
records are called flow generators. Flow generators summarize the packets they observe as part
of a flow into a flow record.
The structure and contents of a network flow record may vary, depending on the standard to which
the implementation adheres. Also, proprietary implementations may have their own definitions for
the structure and content of a network flow record. As a general rule, a network flow record shares
many of the following parameters:
14
Version number
Sequence number
Input and output interfaces indices (ifIndex)
Timestamps for flow start and finish
Number of bytes
Number of packets
Introduction to Network Traffic Analyzer
Layer 3 and layer 4 header information including source and destination IP addresses and
port numbers, IP protocol, and type of service value
TCP flag summary information
Layer 3 routing information
Data available in network flow records and the data available in protocol analysis and other
diagnostic tools differ. Network flow records provide a summary of the information contained in
layers 4 through 7 of a network flow rather the contents of the IP packets that constitute a flow.
Information found in layers 1 through 3 usually is discarded in network flow implementations. As
a result, systems such as NTA that use network flow records provide summarized data based on
the contents of layers 4 through 7 in IP packets.
Network flow data is an efficient and cost effective way to provide administrators and network
operators with visibility into network resource usage. This visibility helps to identify many issues
and usage trends. It is not, however, a packet inspection or deep diagnostic tool such as a protocol
analyzer, which is more commonly used for diagnosing and pinpointing problems at all seven
layers of an IP network.
Network flow generators forward or push network flow records to an external device called a flow
collector that aggregates and processes network flow information. NTA serves as a network flow
collector for IP traffic information. NTA supports most standard IP network flow monitoring protocols
including NetStream v5/v9, NetFlow v5/v9, and sFlow v5, and NTA supports HP proprietary
probe traffic logs.
NetStream is a HP network traffic collection technique that includes three versions: v5, v8, and v9.
The most frequently used versions are v5 and v9. NTA can receive and analyze NetStream packets
in v5 or v9 format. NetStream v5 defines a flow by the 7-tuple elements of IP packets, and it does
not support aggregation data export. NetStream v9 defines a flow by the 7-tuple elements of IP
packets, and it supports aggregation data export and MPLS packet statistics. NetStream supports
the following traffic statistics collection modes: accurate statistics collection and sampled statistics
collection. When the accurate statistics collection mode is used, the router or switch collects statistics
of each packet passing through, and the collected statistics are accurate. However, the accurate
statistics collection mode requires high device performance. When the sampled statistics collection
mode is sued, the router or switch samples the packets passing through, and the collected statistics
are not accurate. However, the sampled statistics collection mode requires low device performance.
With NetFlow technologies, the routers and switches track all inbound conversations on each
interface on which NetFlow is enabled. The NetFlow-enabled router or switch examines each
packet based on the following key fields:
Source IP address
Destination IP address
Source port
Destination port
Layer 3 protocol type
ToS byte interface
Input logical interface
If packets share identical contents in each of the seven fields, the router or switch assumes these
packets are part of the same flow. The NetFlow router or switch then summarizes the conversation,
generates a NetFlow record, and forwards it to the NetFlow collector. One NetFlow packet can
contain summarized details for as many as 24 to 30 conversations. When a NetFlow-enabled
router or switch is configured properly and the router or switch is not overloaded, NetFlow data
can achieve 100% accuracy.
NTA data source overview
15
Like NetFlow, sFlow also summarizes traffic into a network flow record that it pushes to a collector.
It is also a technology that is implemented in devices, such as routers and switches, which forward
traffic from source to destination.
Unlike NetFlow, however, sFlow is implemented in hardware with a dedicated chip that performs
the flow analysis and processing. For this reason, sFlow technologies introduce much less load
onto the router or switch on which sFlow is enabled.
Another key difference between NetFlow and sFlow is that sFlow does not analyze every packet
in a flow but rather statistically samples every nth packet. As a result, sFlow data is often considered
to be less accurate than NetFlow data.
When you use routers or switches to collect network traffic statistics, the routers or switches must
support NetFlow, NetStream, or sFlow. For a device that do not support any of these protocols,
you can configure port mirroring on the device to mirror the network traffic to be analyzed to the
probe server, a server with a probe application program deployed. The probe server collects
statistics of the received mirrored traffic and generates probe traffic logs. Then, the probe server
uploads the probe traffic logs to the NTA server, where NTA analyzes the network traffic based
on the received probe traffic logs.
The HP probe servers include Linux servers with probe application programs installed and vMON
virtual machines or Linux servers with probe application programs deployed. A probe application
program is software which must be installed on a physical or virtual Linux server, and it collects
statistics of the received traffic of a physical or virtual network. A vMON is an OVF template with
a probe application program embedded, and it can be deployed on a VMware virtual server. It
collects statistics of the received traffic of a virtual network.
NTA and network flow record collection overview

To configure NTA and devices in order to collect a record of network flow:
1. Identify the areas of interest for which you want to capture network flow data.
This may include business services, applications, or systems and the underlying technologies
that deliver these services, as well as network devices or interfaces, servers, storage, or other
network resources.
When you identify where you want to capture network flow data, you can develop a plan to
enable network flow data. Segments of the network that are often valuable from a network
flow collection perspective include network ingress and egress points, aggregation points and
server farms.
2.
Identify all of the devices in the network that are capable of generating network flow records.
The network flow data protocols that NTA supports and for which it can process flow records
are NetStream v5/v9, NetFlow v5/v9, and sFlow v5. Therefore, you need to determine if the
devices that are network flow capable are compatible with the versions supported by NTA.
Routers and switches are the most likely candidates for network flow capable devices.
3.
Perform a gap analysis between those areas of your network that are network flow data
capable and those that are not.
You can do this by mapping the areas from step 1 to the device inventory you created in the
step 2. This enables you to identify the areas for which you can collect network flow data and
those areas that you cannot.
Two essential planning aids result from the analysis. First, you have a list of devices and the
interfaces on them for which you enable network flow data. Second, you have a list of those
devices and areas of your network that have no instrumentation.
Identifying those areas that have no network flow instrumentation helps you determine if you
can and want to use alternatives, such as probe server.
16
4.
Configure those devices that have network flow capabilities to forward network flow data for
the interfaces.
In this step, you enable network flow data collection. You may also configure on which
interfaces network flow collection should be enabled.
You need to configure these devices to forward network traffic flow data to the NTA server
that functions as a network flow collector. Therefore, in addition to enabling network flow
data on each of these devices, you configure the NTA server as the flow collector on these
devices.
See the vendor documentation for the NTA server information that is needed to configure it
to forward network flow records to the NTA server. The NTA server may be an IMC base
platform server that has the NTA service module installed on it. Otherwise, it may be a server
that is configured as a dedicated NTA server that communicates with an IMC base platform
server in a distributed or hybrid IMC deployment.
5.
6.
As an option, you can configure port mirroring on the routers or switches that do not support
any of the NetStream v5/v9, NetFlow v5/v9, or sFlow v5 protocols, so that the traffic can
be mirrored to the port connecting to the probe server. Then, you can manage the probes in
NTA and configure the probes to send the traffic logs to the NTA server.
After you complete the configuration of all network flow data devices, configure the NTA
server to receive and process the network flow records from every device you have configured.
For routers, switches, network flow probes and other devices that support NetStream v5/v9,
NetFlow v5/v9, or sFlow v5, use the Device Management feature found under the Settings
section of NTA.
For more information on using Device Management to configure NTA to receive network flow
data records for, see Device management.
7.
Configure the NTA server to receive and process the network low records from every probe
server you have installed. Use the Probe Management feature found under the Settings section
to add probes to NTA.
For more information on using Probe Management to configure NTA to receive network flow
data records from probe servers, see Probe management.
NTA provides administrators with access to modify the configuration of an NTA server. From
the server configuration page, you can modify such NTA server settings as server description,
the port that NTA uses to receive flow records on, FTP access information, traffic analysis log
and filter policies and disk space thresholds and policies.
You can also enable and disable NTA processing of flow records from devices and probes
on this page. For more information on configuring these features, see Managing NTA servers.
After you complete these steps, you have configured NTA to receive network flow records. However,
NTA does not begin processing or statistically analyzing flow records for any source until you
create a traffic analysis task.
NTA and network flow record processing overview

Until you select the probes and devices for which you want to process data and you configure
traffic analysis tasks, NTA ignores all network flow records forwarded to it. There are several NTA
features that administrators use to configure if, what, and how network flow records are processed.
These features include NTA server management, traffic analysis task management, application
and category management, NTA filter strategies, parameter settings. This section provides an
overview of each of these features and how they enable you to configure NTA to process network
flow records to get the visibility you need.
17
NTA server configuration

Configuring devices and probes in NTA using the Device management and Probe management
features establishes the communication paths between NTA and the devices in your infrastructure
that you have enabled for network flow record generation. After you have added a device or
probe, you must select the probes and devices for which you want to process data using the
Modifying an NTA server configuration feature found in the Managing NTA servers section
of this manual. Until you do so, devices and probes are not available as configuration options in
certain traffic analysis tasks such as interface and VPN traffic analysis tasks and the data from
devices and probes are not included in any traffic analysis tasks.
Traffic analysis task management

Traffic Analysis Task Management ties network flow records to data analysis, reporting, and report
navigation. Out of the box, NTA does not generate reports using the network flow records that
are directed to it through configurations on the devices and through the device and probe
management configurations in NTA. Administrators must create traffic analysis tasks that define
how NTA reports all network flow record data.
In addition, traffic analysis tasks define how resources in a network are grouped for analysis and
reporting purposes. This has a direct effect on the utility and accessibility of the data presented in
NTA reports.
Finally, traffic analysis tasks define how NTA presents report navigation and how you access
reports. NTA creates the reports and makes them available on the left navigation tree under the
Traffic Analysis and Audit section based on task configuration.
NTA traffic analysis tasks govern whether network flow records are presented as reports in NTA.
The next step is to create traffic analysis tasks because traffic analysis tasks direct NTA to process
and report on the network flow records it receives. Traffic analysis tasks enable you to configure
from which devices, interfaces, and probes you process network flow records as well as which
NTA network flow collector server processes the records. The following are the types of network
flow analysis tasks in NTA:
Interface
VLAN
Probe
Application
Host
VPN
Inter-business traffic analysis
For interface, VLAN, probe, and VPN traffic analysis tasks, define from which interface, VLAN,
probe, or VPNs the task processes network flow records and reports. NTA processes all received
network flow records for host, application, and inter-business tasks as these types of tasks are not
tied to specific network flow record sources.
Traffic analysis tasks also allow you to organize how network resources are grouped in NTA for
analysis and reporting purposes. This is a powerful configuration option that requires consideration,
as NTA summarizes data found in network flow records based on the way you have grouped
resources. For example, if you create an application task that groups six disparate applications,
NTA provides summarized reporting for all six applications as a whole, not for the individual
applications in the group.
For the most part, group network resources together by the seven types of network flow analysis
task options that NTA offers. However, NTA provides you with flexibility in how you group resources
of the same type. For example, you can create an interface traffic analysis task that contains one
18
or more interfaces from one or more devices. This enables you to provide summarized reporting
for interfaces based on the group criteria you define. These are some of the options:
Location
Function
Interface type
Organization structure
Inter-business traffic analysis tasks provide additional grouping capabilities because this task type
combines host and application grouping into tasks that are business-service oriented. NTA analyzes
and summarizes network flow records based on your method of grouping like resources. That is
probably the most important benefit.
The final aspect of traffic analysis tasks to consider is that the way you group tasks and the traffic
analysis tasks that you create defines how you access them. Traffic analysis tasks generate links
on the left navigation tree under the Traffic Analysis and Audit section that you use to access the
reports generated by them. Efficient and organized creation of tasks results in an efficient manner
for accessing reports.
Creating tasks that organize your resources effectively and contain only the resources on which
you want to report results in an efficient navigation tree.
For environments that have many devices that generate network flow data and many interfaces
for which administrators want to collect data, careful planning of NTA traffic analysis task
management is essential. This document has a chapter for each of the monitoring types offered by
NTA. For each type, the following chapters summarize reporting capabilities and describe
configuration considerations. Also, there are step-by-step instructions for creating tasks and accessing
the reports created by them. Review the contents of the chapter for the monitoring and reporting
type you want to enable in NTA to ensure that you get the most out of NTA and the network flow
data available in your network.
Application, protocol, and application category management

NTA enables administrators to configure how NTA handles applications in the processing and
reporting of network flow records. The features are application, protocol, and application category.
An application is the association of a port number to an application name. NTA comes with many
predefined applications. NTA also enables administrators to create user-defined applications. After
applications are created, administrators can select one or more applications for network flow
record processing when they create application, host, or inter-business traffic analysis tasks.
A protocol is the association of a protocol number to a protocol name. NTA installs with predefined
protocols. NTA also enables administrators to create user-defined protocols. You can enable or
disable any of the protocols to include or exclude the selected protocol from analysis and reporting.
An application category is a grouping of applications. NTA installs with predefined application
categories that group applications by application type. You can create your own application
categories to organize applications into categories. In addition, you can add user-defined
applications to application categories.
For more information on managing applications, protocols, and application categories in NTA,
see Managing applications, Managing protocols, and Managing application categories.
Filtering strategies
Filter strategies in NTA enable you to define whether the network flow records that NTA receives
are processed or discarded by NTA. You can choose to process and analyze or discard packets
based on their source or destination IP address or by source or destination layer 4 port number.
You can also process or discard TCP, UDP, or ICMP traffic. You can analyze or discard traffic
based on one or more combinations of source and destination IP address, port number, and
protocol.
19
Filter strategies consist of a name, description, default filter policy, and one or more filter conditions.
There are two types of filter policies. The Discard filter discards any packet that matches the filter
conditions. The Receive filter processes and reports on any packet that matches the filter conditions.
The Default Policy defines how log packets are treated by default when the conditions of the packet
do not match any of the filter conditions in the filter strategy.
A filter condition is a rule that defines the conditions under which log packets either are processed
or discarded. A filter strategy can have many filter conditions, but every filter strategy must have
at least one filter condition. In addition, at least one of the filter conditions must contain a filter
policy that does not match the default filter policy.
NTA supports a broad set of filter options for filtering by IP address, port, and protocol. You can
create multiple filter conditions for every filter strategy. Every NTA server supports an unlimited
number of filter strategies.
NTA enables you to specify which NetFlow, NetStream, and sFlow packets are processed and
which are discarded. For example, you can create filter strategies for every device or every VPN
on every device that forwards NetFlow, NetStream, or sFlow traffic to NTA. You can create filter
strategies by port number or traffic type across all devices that forward flow traffic to NTA. For
example, you can create a simple filter that discards all ICMP traffic from NTA analysis and
reporting. For more detailed information on filtering strategies in NTA, see Using NTA filtering
strategies.
NTA parameter settings

The NTA Parameter settings feature allows you to configure key analysis and reporting options.
Using the Parameters feature, you can configure how many entries NTA displays for TopN reporting,
how many days NTA maintains the flow data collected by devices, the maximum number of
displayed entries for audits, and the direction of VLAN traffic analysis tasks.
You can enable or disable the following:
ToS/MPLS Exp traffic analysis
unknown application traffic analysis
host session monitoring
baseline analysis
threshold alarming
VPN traffic analysis
peak traffic analysis
realtime traffic
conversation aggregation TopN
For detailed information on managing parameter settings in NTA, see Configuring NTA traffic
analysis parameters.
Network behavior anomaly detection

NTA collects statistics on traffic flow records and compares the statistics with a set of thresholds to
discover anomalies. The thresholds that NTA uses are saved in predefined anomaly detection
templates. When NTA discovers an anomaly, it sends the anomaly information (including the
source and destination IP addresses of the packet, the IP address of the device, and the type and
number of the interface) to IMC so IMC notifies administrators of the anomaly through its alarm
module.
20
The following are the anomaly detection templates:
TCP Null ScanDetermines whether a port is closed on the target host. The attacker sends to
the target host port a TCP packet with no flags in the packet header. If the port is closed, the
host returns a TCP RST packet. Otherwise, the packet is discarded.
TCP Fin ScanDetermines port status and the operating system version (Unix or Windows) on
the target host. The attacker sends to the target host port a TCP packet with the FIN bit set in
the packet header. If the port is closed, the host returns a TCP RST packet. Otherwise, the
packet is discarded.
TCP Syn Fin ScanIndicates that a network attack has occurred. TCP SYN is used to initiate
a TCP connection, and cannot be set together with the FIN and RST bits. Other similar
combinations include SYN/FIN, SYN/FIN/PSH, SYN/FIN/RST, and SYN/FIN/RST/PSH.
TCP Xmas ScanDetermines if ports are closed on the target host. The attacker sends to the
target host port a TCP packet with the FIN, URG, and PSH bits set in the packet header. If the
port is closed, the host returns a TCP RST packet. Otherwise the packet is discarded.
UDP Bomb AttackDetects an attack on an old version operating system. The attacker fills
the UDP header with some invalid values, such as length values. Some old version operating
systems crash when flooded with such packets.
Snork AttackDetects a DoS attack against Windows NT RPC service. This attack is
accomplished by sending UDP packets with source port 7, 19, or 135, and destination port
135.
UDP Flood AttackDetects a UDP-based DoS attack. This attack significantly consumes the
network bandwidth and degrades the network performance.
DNS Rogue HackDetects an attack that exploits the DNS protocol to transmit illegal data.
The attacker disguises the data as DNS traffic to send through the UDP port 53. Administrators
must specify a list of valid DNS servers to distinguish between legitimate and disguised DNS
traffic.
Invalid ToSDetects packets that contain invalid ToS values, such as 0, 2, 4, 8, and 16.
Land AttackDetects an attack on a host operating system. This attack is accomplished by

sending spoofed packets with source address the same as the destination address, causing
the operating system flooded with these packets to crash or hang.
Invalid IP ProtocolDetects spoofed IP packets with protocol numbers equal to or greater than
134. These protocol numbers are unassigned or reserved, and shouldn't be used in normal
networks.
Corrupt IP OptionDetects an attack on Windows operating system hosts. The attacker crashes
the target Window system or bypasses security checks by sending packets to the system with
carefully crafted IP options.
Time Stamp IP OptionDetects an attack on NetBSD hosts. The attacker launches a remote
DOS attack against the target NetBSD system by flooding the system with TCP packets that
contain unmatched IP timestamp options, causing the NetBSD system to crash.
Source Route IP OptionDetects an attacker that uses IP source options to hide its true address
and accesses restricted areas of a network by specifying a different path.
Record Route IP OptionDetects an attacker that uses IP route record options to gain information
about the architecture and topology information of the network through which the IP packets
passed.
Security IP OptionDetects forged IP packets with security options in the packet header. The
IP security option is obsolete and therefore its presence in the IP header is suspect.
Stream ID IP OptionDetects forged IP packets with stream ID options in the packet header.
The stream ID option is obsolete and therefore its presence in the IP header is suspect.
Network behavior anomaly detection
21
Ping of Death AttackDetects an attack on hosts or network devices. The attacker sends large
ICMP packets greater than 65507 bytes in size, causing the hosts or network devices that
receive these packets to crash, freeze, or reboot.
Large ICMP PacketDetects large ICMP packet attack detection. Typically, ICMP packets
contain very short messages. The presence of large ICMP packets might indicate that something
is wrong in the network.
Fragmented ICMP PacketProvides ICMP fragment detection. Because ICMP packets contain
very short messages, there is no legitimate reason for ICMP packets to be fragmented.
ICMP RedirectsDetects when an attacker sends spoofed ICMP redirect packets to the target
host to alter its routing table.
ICMP Destination UnreachableDetects when the attacker uses spoofed ICMP unreachable
packets to mislead the target host to cut the connection to a specified network. This may
happen when operating systems drop the connection to a specified network upon receiving
an ICMP unreachable packet, indicating that the network is unreachable.
ICMP Request ExcessDetects an attack on a host operating system. The attacker floods the
target host with ICMP echo requests, or Ping messages, which significantly consumes the
resources and bandwidth of the host.
ICMP Reply ExcessDetects when an attacker uses the ICMP reply messages to probe a host
for its operating system information.
ICMP Source QuenchDetects when an attacker uses spoofed ICMP source quench packets
to limit the bandwidth available to other users. ICMP source quench packets can reduce the
data transmission rate, which is recovered after the sending of such packets is stopped.
ICMP Parameter ProblemDetects ICMP packets that contain invalid parameters.
ICMP Time ExceededDetects when an attacker sends spoofed ICMP time exceeded messages
to either or both of the communication parties to cut their connection.
DHCP Offer PacketDetects when an attacker sends a spoofed DHCP Offer packet with a
random IP address to the host requesting the DHCP service, causing network anomalies.
You must configure these templates. For more information, see Anomaly detection
management.
NTA widgets
To facilitate the administrator's monitoring of the network performance operating status, NTA
provides various widgets. With these widgets, the administrator can monitor the network
performance from different aspects at the same time. The widgets that NTA provides include display
tiling widgets and home page widgets. The administrator can use the display tiling function or
home page function of IMC to customize and view these widgets. For more information about NTA
widgets, see "NTA widgets."
Analyzing the network traffic between virtual machines

More and more enterprises are using virtualization technology. By running multiple virtual machines
on one VMware server, you can improve the physical server usage, reduce the hardware
investments, and reduce the power consumption of the data center.
Virtual machines running on the same VMware server can provide more types of services for
network users at the same time. Each virtual machine has its own IP/MAC address. Therefore, all
traffic passing through the devices can be captured by the device supporting NetStream v5/v9,
NetFlow v5/v9, or sFlow v5, and sent to NTA for processing and analysis. However, because the
traffic between virtual machines is internally forwarded by the vSwitches of the VMware server
without passing through the devices, such traffic cannot be captured and forwarded to NTA for
processing and analysis.
22
HP provides the probe server for analyzing the traffic between virtual machines.
The HP probe servers include Linux servers with probe application programs installed and vMON
virtual machines, or Linux servers with probe application programs deployed.
When the Linux servers with probe application programs deployed are used, the operators
must create a virtual Linux server on the VMware server and deploy a probe application
program on the virtual Linux server. After the deployment, the operators must set the vSwitch.
For information about using the probe to analyze the traffic between virtual machines, see
Analyzing traffic between virtual machines.
When the vMON virtual machines are used, the operators must import vMON on the VMware
server, and set the vSwitch after importing the vMON. For more information about the vMON
usage, see vMON Administrator Guide.
Analyzing the network traffic between virtual machines
23
2 Configuring NTA for traffic analysis and auditing

NTA enables you to manage the reception, analysis and presentation of network flow records.
You must configure devices to forward network flow data to NTA, add devices and probes to NTA,
select each device and probe in the NTA server configuration page, and then create a task for
each type of reporting you want. NTA produces reports using data generated by devices and
probes, and there are many configuration parameters in NTA that enable you to tune very
specifically how NTA analyzes and presents data.
This chapter describes how to add devices and probes to NTA. It describes the configuration
options for NTA server management, and the process of managing applications, protocols, and
application categories in NTA. It reviews the parameters for tuning, describes the NTA filtering
strategies, and it reviews the process for managing database space.
Managing NTA data sources

NTA supports two types of devices as network flow data sources. The first type of devices are
devices such as routers and switches that support NetStream v5/v9, NetFlow v5/v9, or sFlow v5
monitoring. You can add devices to NTA using the Device Management feature. When network
flow data from one or more of these devices is necessary, you can modify the NTA server
configuration, and deploy the new configuration. This makes it easy to adjust your network flow
analysis configuration as your needs change.
The second device type for which NTA processes network flow data is a probe. A probe in NTA
is a server that has the probe application program installed. A probe creates network flow records
from devices that do not support network flow record generation. Using the probe, you can mirror
traffic from a router or switch port or through an inline tap to a probe server that collects and
analyzes the traffic before forwarding to an NTA server. As with Device Management, the Probe
Management feature of NTA allows you to add probes without enabling network flow record
processing for them until the need arises.
The NTA Device List contains devices such as routers, switches, and other devices that have been
added to NTA as a potential source of network flow records. Adding a device or probe to NTA
establishes a communication path between NTA as the network flow collector and the devices or
probes that generate network flow records. It does not enable data collection or processing in
NTA, nor does it add the device or probe to traffic analysis tasks for reporting purposes. To do
so, you must select every device and probe for which you want to process data using the Managing
NTA servers feature, and specifically the section on Modifying an NTA server configuration.
After you do this, the device or probe becomes available for use in all traffic analysis tasks, and
the device data then becomes generally available to traffic analysis tasks. To include device data
in specific interface and VPN tasks, create a traffic analysis task, and select the devices you want
to include in the reporting. Adding devices to NTA does not enable NetStream, NetFlow, or sFlow
on the device itself. You must also enable NetStream, NetFlow, or sFlow on the devices that you
add to this list.
After you add a probe to NTA, you must also select it using the Modifying an NTA server
configuration feature found under Managing NTA servers. The probe data then becomes
generally available to traffic analysis tasks. To include probe data in a specific probe traffic analysis
task, you must add the probe to a probe traffic analysis tasks. For more information on configuring
a probe traffic analysis task, see Managing probe traffic analysis tasks.
This section explores the process of adding routers and switches and probes as data source devices
in NTA.
Device management
NTA functions as a NetStream v5/v9, NetFlow v5/v9, and sFlow v5 collector for network flow
statistical analysis and reporting. Device Management in NTA enables you to view, add, modify,
24
Configuring NTA for traffic analysis and auditing
or remove devices that are network flow data sources in NTA. Routers and switches that support
NetStream v5/v9, NetFlow v5/v9, and sFlow v5 data are devices that are data flow sources in
NTA. You can add them to NTA using the Device Management feature. Under Device Management,
you can add a router or switch as a network flow source to NTA. You can also view, modify, and
delete routers and switches that have been added to NTA network flow sources.
Every device that NTA processes network flow records for consumes a license. NTA provides the
ability to add routers and switches as potential network flow data sources. When network flow
data from one or more of these devices in the Device List is needed, you can modify the NTA server
configuration to deploy the new configuration, enabling you to adjust your network flow analysis
configuration as needs change.
This section explores the process of viewing, adding, modifying, and removing routers, switches
and other devices as network flow data sources in NTA. The section Managing NTA servers
explores the process of configuring an NTA server as a NetStream v5/v9, NetFlow v5/v9, or
sFlow v5 collector and to enable or disable specific devices and probes for collection and analysis.
This guide does not provide instructions for enabling NetStream, NetFlow, or sFlow on routers,
switches, or other devices. For more information on how to enable NetStream, NetFlow, or sFlow
on a particular device, see the vendor documentation.
Viewing the NTA device list

The NTA device list contains all devices such as routers, switches, and other devices that have
been added to NTA as a potential source of network flow records. Adding a device to NTA
establishes communication between NTA as the network flow collector and the devices that generate
network flow records. Adding devices to NTA does not enable NetStream, NetFlow, or sFlow on
the device. You must also configure NetStream, NetFlow, or sFlow on the devices that you add to
this list.
To view the NTA Device List:
1. Select Service > Traffic Analysis and Audit > Settings.
2. In the settings area of the Traffic Analysis and Audit page, click the Device Management link.
NTA displays all devices that are data sources for the NTA service module in the Device List
displayed in the main pane of the Device Management page.
Device List contents
3.
NameContains the name of the device that provides network flow data. The contents
of this field link to the NTA Device Details page for more detailed information on the
associated device. For more information on this feature, see Viewing the NTA device
details page. By default, IMC autopopulates this field with the device name when you
select a device using the Add option under Device Management. However, you can
override the Device Label by assigning a new name to the device.
Device IPContains the IP address of the device that provides the network flow data.
DescriptionContains a description for the device that provides the network flow data.
Device Resource InfoContains a link

to the Device Details page for the associated
device. The device must be managed by NTA and the device must be added using the
By View or By Advanced methods for this feature to function.
ModifyContains a link
DeleteContains an icon
to the Modify page for the associated device.

for deleting the associated device.
To query NTA for the most current Device List, click the Refresh button in the upper left corner
of the Device List.
25
NOTE: You can sort the Device List by the Name, Device IP and Description fields. Click the
column label to sort the list by the selected field. The column label allows you to toggle between
the sort options specific to each field.
Viewing the NTA device details page

To view NTA Device Details:
NTA displays all devices that are data sources in the Device List in the main pane of the Device
Management page.
3. In the Name field of the device for which you want to view details, click the contents.
The Device Details page for the selected device appears.
Device details contents
4.
26
Device IPContains the IP address of the associated device that provides the network
flow data.
NameContains the name of the device that provides the network flow data. By default,
NTA autopopulates this field with the device name when you select a device using the
Add option under Device Management. However, you can over-ride the Device Label by
assigning a new name to the device.
DescriptionContains a description for the device that provides the network flow data.
SNMP CommunityContains the NTA SNMP Read community string for the associated
device. It does not contain the SNMP Read community string configured on the device.
However, for NTA to function properly, the SNMP Read community string in NTA must
match the SNMP Read community string that is configured on the device.
SNMP PortContains the SNMP port number used by NTA to communicate with and
receive data from the device forwarding network flow data.
Log Source IPContains the IP address of the device that sends logs.
NetStream Statistics IdentifierIndicates whether or not NetStream Statistics Identifier is

valid for the selected device.
NetStream New FeatureIndicates whether or not NetStream flow sampling feature is

enabled for the selected device. This feature is only for HP A series devices with Comware
V5.
NetStream Sampling RatioIndicates NetStream sampling ratio configured by the device.

One indicates that the sampling ratio is 1:1, and 100 indicates that the sampling ratio
is 1:100. For devices that support the NetStream new feature, NTA can obtain the
sampling ratio automatically. For devices that do not support the NetStream new feature,
the NetStream sampling ratio must be set manually. The sampling ratio configuration
must be the same as that of the device. Otherwise, traffic statistics errors occur.
sFlow SettingsIndicates whether sFlow is enabled for devices. You can enable the sFlow
feature for devices by using NTA.
Sample RateRate at which sFlow samples packets. One thousand indicates that
the sample rate is 1:1000.
Interface List with sFlow EnabledList of interfaces with sFlow enabled.
Click Back to return to the Device List.
Adding an NTA data source device

You can add devices as data sources for NTA using the Add feature on the Device Management
page. However, you must be an administrator to add, modify, or delete devices that are used as
data sources in NTA.
To add an NTA data source device:
3.
Click Add.
The Add Device page appears.
4.
In the Device IP field, enter the IP address of the device you want to add as a data source.
Use this option if you know the IP address of the device managed by NTA or if you want to
add a data source device that is not managed by NTA. If you add a device by entering its
IP address, you cannot navigate to its Device Details page from the Device List. Otherwise,
you can add a device either by the View or by the Advanced query methods. For more
information, see "Modifying an NTA data source device."
5.
To the right of the Device IP field, click the Select button.

The Select Devices dialog box appears.
Adding a device by view
a. In the Select Devices dialog box, click the By View tab.
b.
c.
To expand the view so you can select a device, click the arrow icon
next to the three
view options: IP View, Device View, or Custom View.
On the navigation tree to the left, click the view you want to select a device.
The devices from the group you click appear in the Devices Found field to the right of the
navigation tree.
d.
Highlight the device you want to select from the Devices Found list, and click the Add
selected button
e.
f.
g.
h.
to add it to the Selected Devices list.
To remove a device, highlight the device, and click the Remove selected button .
Confirm that the device you have selected has been added by reviewing the Selected
Devices list.
Click OK.
Confirm that the device IP address now appears in the Device IP field and the device
name appears in the Name field.
Adding a device by advanced query

You can add a device using the advanced query option to search NTA using various criteria
and use the search results to add a device.
a. In the Select Devices dialog box, click the Advanced tab.
b. On the Advanced tab, enter values in one or more of the search parameters:
Device IPEnter the IP address for which you want to query.

Click the Exact Query box to search for the exact IP address you have entered.
27
Leave the Exact Query box unchecked to match only a certain portion of the IP
Address.
c.
Device LabelEnter a partial or complete name for the devices you want to add.
NTA supports fuzzy matching for this field. Therefore, you can enter a partial or
complete string for the device name.
Device StatusIn the Device Status list, select the device status.
Device CategoryIn the Device Category list, select a device type.
Device SeriesIn the Device Series list, select a device series.
ContactEnter the contact name information you want to search by. NTA supports
fuzzy matching for this field. Therefore, you can enter a partial or complete string
for the contact.
LocationEnter the location information for which you want to search. NTA supports
fuzzy matching for this field. Therefore, you can enter a partial or complete string
for location.
Device ReachabilityIn the Device Reachability list, select device reachability status.
Click Query to begin your search.

The results of your search appear in the Devices Found field to the right of the navigation
tree.
6.
7.
d.
Highlight the device you want to select, and click the Add selected button
to the Selected Devices list.
to add it
e.
f.
To remove a device, highlight the device, and click the Remove Selected button .
Review the Selected Devices list to confirm that the device you selected has been added,
and then click OK.
Confirm that the device appears in the Device IP field and the device name appears in the
Name field.
Enter the name for this device in the Name field.
If you used the Select option in Step 3, you can remove and add a new name or append to
the device name that was autopopulated.
8.
9.
In the Description field, enter a description for this device.

In the SNMP Community field, enter the SNMP Read community string.
This field must match the SNMP Read Community String that is configured on the device that
is being added. The configuration takes effect on only devices with SNMPv1 or SNMPv2c
enabled.
For a device with SNMPv3 enabled, you must configure the device IP by selecting a device
IP and correctly configure the SNMPv3 parameters of the device in the IMC platform.
10. In the SNMP Port field, enter the UDP port number that is being used to SNMP poll the device.
The value you enter in this field must match the port number that is configured on the device
that is being added. The default value for this field and for SNMP polling is 161.
28
11. In the Log Source IP field, enter the IP address of the Log Source for this device.
If NTA cannot access a device through SNMP, you must specify the IP address. Otherwise,
you can leave this parameter blank. You must specify a unique log source IP address for each
device added as a log source.
CAUTION: If the device you are adding has multiple IP addresses, add only one IP address
for the source data device and add the device once to NTA. Do not create multiple instances
of the same data source device using different IP addresses, because this will skew the traffic
analysis results.
12. From the NetStream Statistics Identifier list, select Valid if you add a device that supports
NetStream Statistics Identifier. Select Invalid if you add a device that does not support
NetStream Statistics Identifier.
13. From the NetStream New Feature list, select Enable if you are adding a device that supports
NetStream New Feature.
14. Select Disable if you are adding a device that does not support the NetStream New Feature.
This feature is only for HP A series devices with Comware V5. Do not configure this feature
for other devices.
For devices that do not support the NetStream new feature, you must enter the NetStream
sampling ratio. One indicates that the sampling ratio is 1:1, and 100 indicates that the
sampling ratio is 1:100. For devices that support the NetStream new feature, NTA can
automatically obtain the sampling ratio from devices that support the NetStream new feature.
The sampling ratio configuration must be the same as that of the device. Otherwise, traffic
statistics errors occur.
15. Select whether to enable sFlow for the device.
You can enable sFlow for only devices added to NTA through selecting IPs. After enabling
sFlow, you must set the sFlow sample rate and interfaces with sFlow enabled.
Sample RateEnter the rate at which sFlow samples packets. 1000 indicates that the
sample rate is 1:1000.
Interface List Which Enable sFlowClick Select. The dialog box for selecting interface
appears. Select the interfaces for which you want to enable sFlow, and click OK.
16. Click OK to add the device as a data source. NTA deploys the sFlow-related configuration to
devices with sFlow enabled through SNMP.
Once you have added a device to NTA as a network flow data source, you must also select it
using the NTA server management feature for it to become available for analysis task configurations
and reporting. For more information on selecting a device using the NTA server management
feature, see Managing NTA servers and specifically the section on Modifying an NTA server
configuration.
You must also configure the device to forward NetStream, NetFlow or sFlow traffic to the NTA
server. See your vendor documentation for configuring a router or switch to enable NetStream,
NetFlow or sFlow data to a collector. For more information on configuring the NTA server as a
collector, see Managing NTA servers.
Modifying an NTA data source device

To modify an NTA data source device:
29
3.
Click the Modify icon

for the NTA data source device entry you want to modify. The Modify
Device page is displayed.
NOTE: After you create an NTA data source device, you cannot modify the IP address or
the name of the data source device.
4.
5.
In the Description field, enter a description for this device.

In the SNMP Community field, modify the SNMP read community string.
This field must match the SNMP read community string that is configured on the device that
is being added. The configuration takes effect on only devices with SNMPv1 or SNMPv2c
enabled. For a device with SNMPv3 enabled, you must configure the device IP by selecting
a device IP and correctly configure the SNMPv3 parameters of the device in the IMC platform.
6.
In the SNMP Port field, modify the UDP port number that is being used to SNMP poll the
device.
The value you enter in this field must match the port number that is configured on the device
that is being added. The default value for this field and for SNMP polling is 161.
7.
In the Log Source IP field, add or modify the IP address of the Log Source for this device.
If NTA cannot access a device through SNMP, you must specify the IP address. Otherwise,
you can leave this parameter blank. You must specify a unique IP address for each device
added as a log source.
NOTE: If the device you are adding has multiple IP addresses, add only one IP address for
the source data device and add the device once to NTA. Do not create multiple instances of
the same data source device using different IP addresses, because this will skew the traffic
analysis results.
8.
From the NetStream Statistics Identifier list, select Valid if you are adding a device that supports
NetStream Statistics Identifier.
Select Invalid if you are adding a device that does not support NetStream statistics identifier.
9.
In the NetStream New Feature list, select Enable if you are adding a device that supports
NetStream new feature.
10. Select Disable if you are adding a device that does not support NetStream new feature.
This feature is only for HP A series devices with Comware V5. Do not configure this feature
for other devices.
11. Modify the NetStream sampling ratio.
The configuration takes effect on only devices that do not support the NetStream new feature.
One indicates that the sampling ratio is 1:1, and 100 indicates that the sampling ratio is
1:100. The sampling ratio configuration must be the same as that of the device. Otherwise,
traffic statistics errors occur.
12. Select whether to enable sFlow for the device.
You can enable sFlow only for devices added to NTA through selecting IPs. After enabling
sFlow, you must set the sFlow sample rate and interfaces with sFlow enabled.
Sample RateEnter the rate at which sFlow samples packets. 1000 indicates that the
sample rate is 1:1000.
Interface List Which Enable sFlowClick Select. The dialog box for selecting interface
appears. Select the interfaces for which you want to enable sFlow, and click OK.
13. Click OK to confirm the modifications.

NTA deploys the sFlow-related configuration to devices with sFlow enabled through SNMP.
30
Deleting an NTA data source device

You can delete a device you have added to NTA. Deleting a device from NTA does not delete
the data received from the device prior to the deletion. The data for all deleted devices is retained
in the database according to the NTA server configuration.
To delete an NTA data source device:
2. In the Settings area of the Traffic Analysis and Audit page, click the Device Management link.
3.
4.
Click the Delete icon

for the NTA data source device entry you want to delete.
Click OK to confirm the deletion of the selected NTA data source device.
The Device List reflects the deletion of the selected device.
NOTE: After an NTA data source device is deleted, all traffic analysis tasks associated with the
device are terminated.
Probe management
NTA provides a solution for collecting and analyzing traffic from devices that do not support
NetStream v5/v9, NetFlow v5/v9 or sFlow v5. Using the probe, you can mirror traffic from a
router or switch port to a probe server that collects and analyzes the traffic before forwarding as
network flow records to an NTA server. In NTA, the communication between the NTA server and
the probe is configured using the probe management features of NTA. You must also select the
probe in the Server Management page for the probe to become available in traffic analysis task
configurations and reports.
For more information on selecting a probe in the NTA server configuration, see Managing NTA
servers, and specifically, the section on Modifying an NTA server configuration. You must be
an administrator to add, modify, or delete probes in NTA. This section explores these features and
the process for integrating traffic data from a probe into NTA.
Viewing the probe list

All probes configured in NTA can be viewed in the probe list. From this list you can view the details
of a probe configuration as well as modify or delete existing probes, or add new probes. To view
the probe list:
2. In the settings area of the Traffic Analysis and Audit page, click the Probe Management link.
NTA displays all probes in the Probe List displayed in the main pane of the Probe Management
page.
Probe List contents
NameContains the name of the probe. The contents of this field link to the Probe Details
page for the associated probe.
IPContains the IP address of the probe.
DescriptionContains the description for the associated probe.
Enable Layer 7 Application IdentificationIdentifies whether layer 7 application

identification has been enabled for traffic from this probe.
to the Modify page for the associated probe.

for deleting the associated probe.
31
3.
To query NTA for the most current Probe List, click the Refresh button located in the upper left
corner of the Probe List.
NOTE: You can sort the Probe List by the Name, IP, Description, and Enable Layer 7 Application
Identification fields. Click the column label to sort the list by the selected field. The column label is
a toggle switch that allows you to toggle between the various sort options specific to each field.
Viewing the NTA probe details page

To view the NTA probe details:
page.
3.
Click the contents of the Name field to navigate to the Probe Details page for the associated
probe.
Probe Details contents
4.
NameContains the probe name assigned to it by the administrator.
IPContains the IP address of the associated probe.
DescriptionContains a description for the associated probe.
Enable Layer 7 Application IdentificationIdentifies whether or not layer 7 application

identification has been enabled for the selected probe.
Click Back to return to the Probe List.
Adding a probe
To add a probe in NTA:
1. Select Service > Traffic Analysis and Audit > Settings from the top navigation bar.
NTA displays all probes in the Probe List in the main pane of the Probe Management page.
3.
Click Add.
The Add Probe page appears.
4.
In the Name field, enter a name for the probe.

The name for each probe must be unique.
5.
In the IP field, enter the IP address of the probe.

The IP address of the server cannot be the same IP address as the device from which traffic is
being mirrored.
6.
7.
8.
In the Description field, enter a brief description for this probe.

Do one of the following:
If you want NTA to include layer 7 application information in the analysis of traffic received
by the probe, select Yes from the Enable Layer 7 Application Identification list.
To disable the identification of layer 7 application identification from probe data analysis,
select No.
Enter the password for the probe in the Probe Password field.
The password must be the same as the password set when you install the probe. If you have
not set a password when you installed the probe, it is not necessary to set a password when
you add a probe to NTA. To set a password for a probe, see Intelligent Management Center
Probe Installation Guide.
32
9.
Click OK to add the probe.

After you have added a probe to NTA as a network flow data source, you must also select it
using the NTA server management feature for it to become available for traffic analysis task
configurations and for reporting. For more information about selecting a probe using the NTA
server management feature, see Managing NTA servers, and specifically, the section on
Modifying an NTA server configuration.
You must also install the probe application program on a dedicated server and configure it
to receive traffic mirrored from the ports you want to view statistics for.
You must also configure the router or switch to mirror traffic from one or more ports to the port
to which the probe server/NTA is connected. If you are using a tap kit, you must also install
the tap kit inline into the link being monitored. See your vendor documentation for configuring
a router or switch to enable NetStream, NetFlow, or sFlow data to a collector or for information
on installing tap kits. For more information about configuring the NTA server to receive network
flows from a probe, see Managing NTA servers.
Modifying a probe
To modify the parameters of an existing probe:
NTA displays all probes in the Probe List in the main pane of the Probe Management page.
3.
for the probe you want to modify.
The Modify Probe page appears.

4.
Modify the name of the probe in the Name field.

The name of each probe must be unique.
NOTE:
5.
6.
7.
After you create a probe, you cannot modify the IP address for the probe.
Modify the description for the probe in the Description field.

Do one of the following:
If you want NTA to include layer 7 application information in the analysis of traffic received
by the probe, select Yes from the Enable Layer 7 Application Identification list.
To disable the identification of layer 7 application identification from probe data analysis,
select No.
Click OK to accept your modifications to the existing probe entry.
Deleting a probe
You can delete a probe you have added to NTA. Deleting a probe from NTA does not delete the
data received from the probe prior to deletion. The data for all deleted probes is retained in the
database in accordance with the NTA server configuration.
To delete a probe:
page.
3.
4.

for the probe you want to delete.
Click OK to confirm the deletion of the selected probe.
The Device List reflects the deletion of the selected device.
33
NOTE:
After a probe is deleted, all traffic analysis tasks associated with the probe are terminated.
Managing NTA servers

The NTA service module can be installed on the IMC base platform server or on separate server
in a master/subordinate relationship to the base platform server. The server management feature
in NTA allows you to manage the configuration of all NTA servers, whether or not the NTA server
is local to the IMC base platform server. Each NTA server is added to the service list when the
NTA server is installed.
When the NTA service module is installed on the IMC platform server, the server name is the
loopback address or 127.0.0.1 by default. When the NTA service module is deployed on a server
other than the platform server, the server name is the server IP address by default. When the NTA
service module is uninstalled, the installation program removes the NTA instance from the server
list.
You can deploy up to 10 NTA servers for one NTA module. Multiple servers can share load to
improve the NTA server performance. To use no more than ten NTA servers, you only need to
purchase a license for one NTA module and ensure that the total number of managed device nodes
does not exceed the limit of the license. To use more than ten NTA servers, you must purchase
more than one set of the IMC platform and NTA module.
Viewing the NTA server list

To view the Server List:
2. In the settings area of the Traffic Analysis and Audit page, click the Server Management link.
NTA displays all servers in the Server List displayed in the main pane of the Server Management
page.
Server list contents
3.
Server NameContains the name of the NTA server. By default, this contains the loopback
address of the local server when NTA is installed on the same server as the IMC base
platform. The contents of this field are a link for viewing more detailed information for
the associated server.
Server IPContains the IP address of the NTA server. By default, this contains the loopback
platform.
DescriptionContains the description for the associated NTA server.
Capture Flux LogContains an icon

for initiating the capture of the traffic log for the
associated NTA server for one hour. This option provides the traffic log data for the traffic
log auditing feature in NTA.
Deploy ConfigurationContains an icon

associated NTA server.
for deploying the configuration for the
to the Modify page for the associated NTA server.
To query NTA for the most current Server List, click the Refresh button in the upper left corner
of the Server List.
NOTE: You can sort the Server List by the Server Name, Server IP and Description fields. Click
the column label to sort the list by the selected field. The column label allows you to toggle between
34
Viewing the NTA server details page

To view the NTA server details:
page.
3.
Click the contents of the Name field to navigate to the server details page for the associated
server.
Server base information
platform.
Server DescriptionContains a description for the associated server.
Processor IPContains the IP address for the associated server.
Listening PortIdentifies the ports that the associated server uses to listen for network
flow records.
FTP Main DirectoryIdentifies the root directory for the FTP service running on the
associated server.
FTP UsernameIdentifies the username of the FTP account used by probes to upload data
to the NTA server.
Traffic Analysis Log Aggregation PolicyIdentifies whether the standard or rough

aggregation policy is in use on the associated server.
Filter PolicyIdentifies whether or not a filtering policy has been applied to network flow
records directed to the associated server.
Usage Threshold of the Database Disk (1-95%)Identifies the threshold for the percent
of database disk utilization defined for the associated server.
When Database Disk Usage Reaches ThresholdIdentifies the action that is taken if the
disk that the database resides on reaches the threshold specified in the Usage Threshold
of the Database Disk field.
Traffic analysisdevice information
Device NameContains the name of the probe that provides network flow data for the
associated server.
Device IPContains the IP address of the probe that provides the network flow data for
Device DescriptionContains a description for the device that provides the network flow
data for the associated server.
Traffic analysisprobe information
4.
Probe NameContains the name of the probe that provides the network flow data for
Probe IPContains the IP address of the probe that provides the network flow data for
Enable Layer 7 Application IdentificationIdentifies whether or not layer 7 application

identification has been enabled for traffic from this probe that provides the network flow
data for the associated server.
Click Back to return to the Server List.

35
Modifying an NTA server configuration

To modify the configuration of the NTA server:
1. From the top navigation bar, select Service > Traffic Analysis and Audit > Settings.
page.
3.
4.
5.
In the Modify field, click the icon

for the NTA server you want to modify.
In the Server Name field, modify the NTA server name, by deleting the old name and entering
the new name.
In the Server Description field, modify the description for the NTA server.
NOTE:
6.
You cannot modify the IP address of an NTA server.
Modify the UDP ports that NTA uses to communicate with the devices and probes that send
traffic data in the Listening Port field.
NOTE: If you change the port assignments in this field, you must also change them on the
devices and probes transmitting the traffic data to the NTA server.
7.
8.
9.
10.
In the FTP Main Directory field, enter or modify the path to the FTP Main Directory.
In the FTP Username field, enter or modify the FTP user name.
In the FTP Password field, enter or modify the FTP password.
From the Traffic Analysis Log Aggregation Policy list, select the aggregation policy you want
to apply to all log files processed by this NTA server. Options are:
No Aggregation (Best Timeliness)This option does not aggregate data, and is suitable
for environments that have high requirements on report timeliness. This aggregation mode
requires much disk space because a huge number of logs are generated.
Aggregation (Standard)This option aggregates data at five-minute intervals and is

suitable for environments that have a medium number of logs generated and requires
less disk space than the No Aggregation mode and more disk space than the Aggregation
(Rough Granularity) mode.
Aggregation (Rough Granularity)This option aggregates data at twenty-minute intervals

and is suitable for environments that have a small number of logs generated and requires
the least disk space.
11. From the Filter Policy list, select the filter policy to discard any data you do not want to process
and report on. Options are the user-defined filters created using the NTA filter strategy feature
and Not Filter.
Select the Not Filter option if you do not want to exclude any data using filters.
NOTE: You must first create a filter strategy before you can select it. To create a filter strategy,
see Using NTA filtering strategies.
12. Enter the percent of disk space on the disk or volume assigned to the database that can be
used by NTA before NTA either stops receiving logs or deletes logs to release disk space.
36
13. From the When Database Disk Usage Reaches Threshold list, select the action you want NTA
to take when the NTA database disk or volume consumption exceeds the threshold you set
previously.
Options are:
Stop Receiving LogsWhen the specified threshold or percent of disk space is reached,
NTA no longer processes and stores traffic analysis data until additional disk space is
released or added to the database disk or volume.
Delete Logs to Release SpaceWhen the specified threshold or percent of disk space is
reached, NTA deletes existing logs from the oldest, until the disk space usage drops
below the threshold or percent.
14. After you add a device to NTA using the steps described in the Device management section
of this manual, you must select it on the Server Configuration page to make it available for
processing and reporting when you create a task.
a. To enable the processing of network flow data from a device (router or switch) in NTA,
click the checkbox next to the device name in the Traffic AnalysisDevice Information
section.
b. To disable the processing of network flow data from a device in NTA, click the checkbox
next to the device name. If you want to add a device that does not appear on the Device
Information list, see Managing NTA data sources and specifically the section on Device
management.
15. After you add a probe to NTA using the steps described in the Probe management section
of this manual, you must select it on the Server Configuration page to make it available for
processing and reporting when you create a task.
a. To enable the processing of network flow data from a probe in NTA, click the checkbox
next to the probe name in the Traffic AnalysisProbe Information section.
b. To disable the processing of network flow data from a probe in NTA, click the checkbox
next to the probe name. To add a probe that does not appear on the Probe Information
list, see Managing NTA data sources and the section on Probe management.
NOTE: Every device and probe selected in the Server Configuration page consumes a
license. If you do not have enough licenses to add a device or probe, then you must deselect
a device or probe before adding a new one. If the device or probe you deselect is configured
for an interface or probe task, you must remove it from the task before you can be select a
new device or probe in the Server Configuration page. For more information on modifying a
traffic analysis task, see the Managing Traffic Analysis Task section in this manual for the task
type you want to modify. For example, if you want to modify an interface task, see Modifying
an interface traffic analysis task.
16. Click Deploy to accept and deploy your NTA server configuration changes.
17. After NTA completes the deployment of the NTA configuration changes, the Configuration
Deployment Result page appears. Review the results in the Deployment Details fields for
Processor, Receiver, and Probe Deployment Result to verify that the changes you made were
deployed successfully.
18. Click Cancel to abandon your changes to restore the NTA server configuration to its previous
settings.
19. Click Return to return to the Server Management page.
Re-deploying the NTA server configuration

NTA enables you to restore or re-deploy the existing NTA server configuration with or without
modifications to it.
To re-deploy the existing NTA server configuration:
37
1.
2.
From the top navigation bar, select Service > Traffic Analysis and Audit > Settings.
In the settings area of the Traffic Analysis and Audit page, click the Server Management link.
page.
3.
In the Deploy Configuration field for the NTA server for which you want to re-deploy the
configuration, click the icon
Once NTA has completed the re-deployment of the NTA configuration, the Configuration
Deployment Result page appears.
4.
5.
Review the results in the Deployment Details fields for Processor, Receiver, and Probe
Deployment Result to verify that the configuration was re-deployed successfully.
Click Back to return to the Server Management page.
Capturing an NTA server flux log

This option initiates the capture of traffic log data for use with the traffic log auditing feature of
NTA. This feature captures the traffic log for the selected NTA server for one hour. For more
information about using the traffic log auditing feature, see Performing traffic log audits in NTA.
To capture an NTA server flux log:
NTA displays all NTA servers in the Server List displayed in the main pane of the Server
Management page.
3.
In the Capture Flux Log field for the NTA server for which you want to capture a flux log, click
4.
the icon
.
When prompted, click OK to capture the flux log.
The page displays the Server Management page. The results of the capture flux log request appear
at the top of the page. Review the results of this request to ensure that NTA is configured to
successfully capture the flux log. Once you capture the flux log, you can use the traffic log audit
feature to view captured data. For more information about the traffic log audit feature, see
Performing traffic log audits in NTA.
Managing applications in NTA

NTA enables you to manage the applications that NTA analyzes and reports on. Using the
application management features of NTA, you can create applications, protocols, and application
categories, and define which of the protocols NTA analyzes. This enables you to refine and
customize NTA to meet your specific traffic monitoring and reporting needs.
An application assigns a name to a layer 4 protocol and port number, or to a layer 7 application
name, protocol, and regular expression. Applications enable you to configure NTA to analyze
and report on predefined applications or applications in use in your environment that NTA does
not include in the predefined list of applications.
There are two types of applications: layer 4 and layer 7. With layer 4 applications, you specify
the application name as well as the layer 4 protocol in use, TCP, UDP, or both. In addition, you
specify the layer 4 port number that the application uses. When a match is found, NTA attributes
the traffic in NTA reports to the application name you provided.
With layer 7 applications, you specify the application name as well as a regular expression string
that NTA uses to compare against the contents of the layer 7 portion of every IP packet. When a
match is found, NTA attributes the traffic in NTA reports to the application name you provided.
38
NTA uses a protocols list for analyzing network traffic. You can create user-defined protocols and
modify predefined protocol names. You can enable or disable the protocols on this list to tune NTA
to meet your reporting needs.
Application categories enable you to group applications together for summarized analysis and
reporting. You can create application categories that are organized by application or by protocol.
When you create an application category based on application, you select from the list of existing
applications comprised of the predefined and user-defined applications. When you create an
application category based on protocol, you select protocols from the NTA predefined and
user-defined protocols list. Either way, NTA provides summarized analysis and reporting for all
applications in the group.
The first step in customizing NTA to meet your needs is to review the NTA list of predefined
applications to identify the applications it does and does not contain. Compare the results of your
review against the list of applications used in your environment that you expect to use NTA traffic
analysis reporting for. Then, create applications in NTA for all applications that are not on the list.
For more information about creating and managing applications, see Managing applications.
Then, review the protocols list in NTA and identify any protocols in use in your environment and
verify that they are enabled in the Protocol List. For more information about managing protocols,
see Managing protocols.
Once you have added the applications and enabled or disabled the protocols, then create the
application categories you need to group applications and protocols into to meet your analysis
and reporting needs. For more information about creating application categories, see Managing
application categories.
In this section, we explore this process of managing applications, protocols, and application
categories in NTA.
Managing applications
NTA analyzes traffic from an application perspective based on the list of applications within NTA.
NTA enables you to add custom applications to the list that NTA uses to process and analyze and
present network flow data. This feature enables you to identify and analyze applications used by
your organization that are not included in NTA as system or predefined applications.
There are two types of applications, layer 4 and layer 7. With layer 4 applications, you specify
specify the layer 4 port number that the application uses and the IP addresses of hosts that use the
application. Therefore, layer 4 applications can be identified by host. When a match is found,
NTA attributes the traffic in NTA reports to the application name you provided.
With layer 7 applications, content that can be found in the header of an IP packet is used to identify
the application. This feature is particularly useful for applications that use dynamic port assignments
such P2P, BT, and eDonkey. To create a layer 7 application, you specify a regular expression
string that NTA uses to compare the contents of the IP header of every packet. When a match is
found, NTA attributes the traffic in NTA reports to the application name you provided. Applications
using inconsistent ports are common in most networks and processing them in NTA can consume
considerable NTA system resources. Therefore, layer 7 applications include the option to enable
or disable them. This enables you to create the applications, and then use them on an as-needed
basis.
This section explores the process of viewing, adding, modifying, and removing applications from
NTA.
Viewing the application list

All of the applications that NTA uses to analyze and present network flow data from an application
perspective can be found in the Application List.
To view the Application List:
39
1.
2.
3.
From the top navigation bar, select Service > Traffic Analysis and Audit > Settings.
In the settings area of the Traffic Analysis and Audit page, click the Application Management
link.
In the upper left corner of the Application Management page, click the Application tab.
NTA displays all applications in the Application List in the main pane of the Application
Management page.
Application list contents
ApplicationContains the name of the application. This field is a link to the Application
Details page for more detailed information on the associated application.
ProtocolIdentifies the layer 4 IP protocol, TCP or UDP, for the associated application.
PortContains the TCP or UDP port number for the associated layer 4 application. A
layer 7 application does not need specific port number. The port number could be a port
number or a port number range.
Application TypeIdentifies which layer of the seven layer OSI Reference model at which
this application operates.
DescriptionThis field provides a description of the application.
Pre-definedIdentifies whether or not the associated application is system or predefined

or user-defined. A value of Yes in this field indicates that the associated application is
system or predefined. A value of No in this field indicates that the associated application
is user-defined.
to the Modify page for the associated application.

for deleting the associated application.
Use the following aids to navigate the Application List.
Click
to page forward in the Application List.
Click
to page forward to the end of the Application List.
Click
to page backward in the Application List.
Click
to page backward to the front of the Application List.
Select 8, 15, 50, 100, or 200 from the list at the lower right of the Application List to
configure how many items per page you want to display.
For Application Lists that have more than one page, click a number from the bottom right
side of the main pane to go to a particular page of the trap list.
To query NTA for the most current Application List, click the Refresh button in the upper
left corner of the Application List.
NOTE: You can sort the Application List by the Application, Protocol, Port, Application Type,
Description, and Pre-defined fields. Click the column label to sort the list by the selected field. The
column label allows you to toggle between the sort options specific to each field.
Querying the application list

To query the Application List:
2. In the Settings area of the Traffic Analysis and Audit page, click the Application Management
link.
40
3.
In the upper left corner of the Application Management page, click the Application tab.
NTA displays all applications known to NTA in the Application List in the main pane of the
Application Management page.
4.
In the upper right corner of the Application List page, enter a partial or complete name of the
application to be queried in the query criteria field, and click the Query icon
the unmatched applications.
5.
6.
to filter out
To filter applications by using more query criteria, click the Advanced icon
to the right of
the query criteria field to expand the query criteria panel above the application list. Enter or
select one or more of the following query criteria:
ApplicationEnter a partial or complete name for each application you want to locate.
ProtocolSelect the layer 4 IP protocol you want to filter the associated application for
from the Protocol list. Options are TCP, UDP and TCP/UDP.
PortEnter the TCP or UDP port number for the associated applications you want to
locate. Otherwise, you can enter a range of port numbers for the associated applications
you want to locate.
Application TypeSelect the application type, Layer 4, Layer 7 or All, from the Application
Type list.
Pre-definedTo filter for applications that are predefined, select Yes from the Pre-defined
list. To filter for applications that are user-defined, select No from the list. To include system
or predefined as well as user-defined applications, select Not limited.

The results of your search is displayed on the Application List.
7.
When you have finished reviewing the results of your query, click Reset to restore the full
contents of the Application List.
Adding an application
There are two types of applications, layer 4 and layer 7. With layer 4 applications, you specify
specify the layer 4 port number that the application uses and the IP addresses of hosts that use the
application. Therefore, layer 4 applications can be identified by host. When a match is found,
NTA attributes the traffic in NTA reports to the application name provided.
Applications using dynamic or inconsistent port assignments are common in most networks and
processing them can consume considerable system resources. With layer 7 applications, NTA
enables you to identify content that can be found in the header of an IP packet to be used to identify
an application. This feature is particularly useful for applications that use dynamic port assignments
such P2P, BT, and eDonkey.
To create a layer 7 application, specify a regular expression string that NTA uses to compare the
contents of the IP header of every packet. When a match is found, NTA attributes the traffic to the
application name you provided in reports. Therefore, layer 7 applications include the option to
enable or disable them. This enables you to create an application and use it on an as-needed
basis.
To add a user-defined application to NTA:
link.
3. In the upper left corner of the Application Management page, click the Application tab.
41
4.
Click Add.
The Add Application page appears.
5.
6.
7.
In the Application field, enter the name for the application.

In the Description field, enter a brief description for the application.
From the Protocol list, select the layer 4 IP protocol.
Options are TCP, UDP, and TCP/UDP. If you select TCP/UDP, you add two applications to the
application list, one using TCP and the other using UDP.
8.
9.
From the Application Type list, select the application type, Layer 4 or Layer 7. If you selected
Layer 4, skip to Step 10. If you selected Layer 7, go now to Step 9.
Perform the following tasks when Layer 7 is selected:
a. If you selected Layer 7 from the Application Type list, enter a string in the Regular
Expression field. NTA use the regular expression to identify the application in the Layer
7 portion of each IP packet examined. For more information on the use of regular
expressions in NTA, see Introduce regular expression in NTA.
NOTE: After you create an application, you cannot modify the Protocol, Application
Type, or Port number. You can only create a new application with the revised Protocol,
Application Type, and Port number.
b.
Select Yes from the Enable list to enable regular expression matching for the application.
Select No if you do not want to enable regular expression matching for the application.
10. Perform the following tasks when Layer 4 is selected:
If you selected Layer 4 as the application type from the Application Type list, enter the
TCP or UDP port number that the application uses in the Port field. Otherwise, you can
enter a range of port numbers that the application uses.
If you selected Layer 4 as the application type from the Application Type list, you can
enter the IP address that the application uses in the Host IP field. This step is optional.
You can configure a layer 4 application to include one or more host IP addresses. You
can enter a range of IP addresses, or a combination of IP host addresses and IP address
ranges. However, no two addresses or address ranges entered in the Host IP field can
overlap.
To add IP address entries in the Host IP field, follow the instructions provided below.
To enter the IP address for a single host, enter the IP address using dotted decimal notation.
An example of a valid IP address entry would be
10.153.89.10
An example of a valid network/subnet mask in dotted decimal notation would be

10.153.89.0/255.255.255.0
A valid network/subnet mask entry using CIDR notation would be

10.153.89.0/24
An example of a valid IPv6 address entry would be

a001:410:0:1::1
A valid IPv6 address and subnet mask using CIDR notation would be
a001:410:0:1::1/64
11. On the right of the Host IP field, click the Add button.
The addresses and masks you entered are added to the Host IP List field displayed below the
Host IP field.
12. Click OK to create the application.
42
After you create an application, NTA uses it to analyze and report on traffic data.
Modifying an application
To modify a user-defined application to NTA:
2. In the settings area of the Traffic Analysis and Audit page, click the Application Management
link.
4.
In the Modify field for the application you want to modify, click the icon
The Modify Application page appears.

5.
6.
7.
In the Application field, modify the name for the application.

In the Description field, modify the description for the application.
In the Port field, modify the port number or port number range for the user-defined application.
You can enter a range of port numbers for the application.
NOTE:
8.
After you create a user-defined application, you cannot modify the Protocol and Application
Type. You can create a new application with the revised Protocol and Application Type.
You cannot modify the Protocol, Application Type, or Port for a predefined application.

a. If you selected from the Application Type list, you can modify the regular expression string
in the Regular Expression field. NTA uses the regular expression string to identify the
application in the Layer 7 portion of each IP packet examined.
For more information on the use of regular expressions in NTA, see Introduce regular
expression in NTA.
b.
Select Yes from the Enable list if you want to enable regular expression matching for the
application. Select No if you do not want to enable regular expression matching for the
application.
43
9.

a. If you selected Layer 4 as the application type from the Application Type list, enter the IP
address that the application uses in the Host IP field. This step is optional.
You can configure a layer 4 application to include one or more host IP addresses.
Otherwise, you can enter a range of IP addresses, or a combination of IP host addresses
and IP address ranges. However, no two addresses or address ranges entered in the
Host IP field can overlap.
To add IP address entries in the Host IP field, follow the instructions provided below.
An example of a valid IP address entry would be
10.153.89.10
An example of a valid network/subnet mask in dotted decimal notation would be

10.153.89.0/255.255.255.0
A valid network/subnet mask entry using CIDR notation would be

10.153.89.0/24
An example of a valid IPv6 address entry would be

a001:410:0:1::1
A valid IPv6 address and subnet mask using CIDR notation would be
a001:410:0:1::1/64
b.
On the right of the Host IP field, click the Add button.

The addresses and masks you entered are added to the Host IP List field displayed below
the Host IP field.
c.
On the right of the Host IP List field, click the Delete button.
The addresses and masks you select are deleted from the Host IP List field.
10. Click OK to accept your modifications to the application.
Batch importing applications

You can import user-defined applications from CSV files in batches. Each line of the file defines
one application, including the application name, protocol, port number, and application description.
To import user-defined applications to NTA in batches:
link.
NTA displays all applications in the Application List displayed in the main pane of the
4.
Click Import.
The Import Application page appears.
5.
Click Browse.
The Choose file dialog box appears.
6.
Locate the application definition file to be imported, and click Open.

IMC automatically populates Application Definition File field with the file path and name.
7.
Click Upload File.

NTA starts to resolve the file contents. The Import Application page displays the resolution
result on the Application List.
44
Imported application list
Line NO.Number of the line that holds the application.
ApplicationName of the application, which is defined by the first column of the file.
ProtocolProtocol used by the application, which is defined by the second column of

the file.
PortPort number used by the application, which is defined by the third column of the
file.
DescriptionDescription on the application, which defined by the fourth column of the

file.
StatusStatus of the application. After NTA finishes the resolution, the correct status of
an application is To be imported. If prompted wrong status, check the file format.
Select 8, 15, 50, 100, or 200 from the list at the lower right of the Application List to
configure how many items per page you want to display.
8.
Click Import to import applications in batches.

If the import succeeds, the Status field on the Application List displays Successful. If the import
is failed, the Status field shows the reason for the failure.
9.
Click Return to return to the Application Management page.
Deleting an application
You can delete user-defined applications. Deleting an application from NTA does not delete the
data for the associated application. The data for all deleted applications are retained in the
database in accordance with the NTA server configuration.
To delete a user-defined application from NTA:
link.
NTA displays all applications in the Application List displayed in the main pane of the
4.
for the application you want to delete.
NOTE: You can delete user-defined applications only. You cannot delete system or predefined
applications.
5.
Click OK to confirm the deletion of the selected application.

The Application List reflects the deletion of the selected application.
Introduce regular expression in NTA

If you selected Layer 7 from the Application Type list to add an application, you must enter a regular
expression string in the Regular Expression field that NTA uses to identify the application in the
layer 7 portion of each IP packet examined.
A regular expression contains 1 to 255 characters in hexadecimal notation or in text string. The
hexadecimal notation contains \x01 through \xff. The text string can contain letters, digits, and
symbols (also known as metacharacters).
The metacharacters in regular expression
45
The following terms describe the metacharacters in a regular expression.
Brackets ([])Matches a single character contained within the brackets. For example, [abc]
matches a, b, or c.
Vertical bar (|)Matches either the expression before or the expression after the operator.
For example, ab | cd matches ab or cd.
Parentheses (())Defines a subexpression. For example, a(b|c)d matches abd or acd, but not
ab, cd, or abcd.
Dot (.)Matches any single character. For example, a.b matches avb, but not ab or avwb.
Contained within a bracket expression, this character matches a literal dot.
Asterisk (*)Matches the preceding element zero or more times. For example, a*bc matches
bc, abc, aabc, and so on. Contained within a bracket expression, this character matches a
literal asterisk.
Plus sign (+)Matches the preceding element one or more times. For example, a+bc matches
abc, aabc, aaabc, and so on. Contained within a bracket expression, this character matches
a literal plus sign.
Question mark (?)Matches the preceding element zero or one time. For example, a?bc only
matches bc or abc. Contained within a bracket expression, this character matches a literal
question mark.
Caret (^)Matches the beginning of a string. For example, ^the matches the string the man
is tall, but not is the man tall. A bracket expression containing this character ([^]) matches
a single character that is not contained within the brackets. For example, [^abc] matches abcd
or ef, but not ac or bc.
Dollar sign ($)Matches the end of a string. For example, man$ matches the string abnormal
man, but not the man is tall.
Minus sign (-)Represents a range if it is not the first or last character within the brackets. For
example, [a-c] matches any lower-case character from a to c (that is, a, b, or c). Being the
first or last character in a bracket expression, this character matches a literal minus sign.
Regular expression examples
Example 1
Regular expression ^\x13BitTorrent protocol matches the content of a BitTorrent handshake
packet, which starts with hexadecimal character \x13 and is followed with the string BitTorrent
protocol. The regular expression would match \x13BitTorrent protocol 1.22v, but not
BitTorrent protocol 1.22v or our protocol is \x13BitTorrent protocol, which do not start
with \x13.
Example 2
Regular expression ^a[bc].*d$ would match abd, ab random words d, or ac random words
d, but not aed (in which e is not included in bracket expression [bc]), the abd (which does not
start with a), or acde (which does not end with d).
Example 3
Regular expression a+b? matches any string that contains one or more as followed with zero
or one b. It would match ab, a, aa, aab, or cabd, but not bb.
Example 4
Regular expression a(bc)+d matches any string that contains a and d with the string bc
appearing one or more times in between. It would match abcd or abcbcbcd, but not abcbd.
46
Managing protocols
Protocol management allows you to add protocols and define the network or protocols to enable
NTA traffic analysis and reporting. For example, if you enable ICMP, NTA analyzes bandwidth
usage trends and other statistics for ICMP. Disabling protocols remove them from statistical analysis
and reporting. This section explores the process for viewing, and querying the protocols that can
be analyzed and reported on in NTA.
Viewing the protocol list

NTA displays all protocols it processes network flow records for in the Protocol List.
To view the protocol list:
link.
47
3.
In the upper left corner of the Application Management page, click the Protocol tab.
NTA displays all protocols in NTA in the Protocol List in the main pane of the Application
Management page.
Protocol list contents
Protocol NameContains the name of the protocol. This field is a link to the Protocol
Details page for information on the associated protocol.
Protocol NumberContains a sequential number assigned to the protocol for NTA

purposes. This field does not contain the port number for the associated protocol.
EnableIdentifies whether or not the associated protocol is enabled for statistical analysis
and reporting.
Pre-definedIdentifies whether the associated protocol is system or predefined or

user-defined. A value of Yes in this field indicates that the associated protocol is system
or predefined. A value of No in this field indicates that the associated protocol is
user-defined.
protocol.
to the Modify page for enabling and disabling the associated

for deleting the associated protocol.
If the Protocol List contains enough entries, the following navigational aids appear. Use the
following tools to navigate the protocol list.
Click
to page forward in the Protocol List.
Click
to page forward to the end of the Protocol List.
Click
to page backward in the Protocol List.
Click
to page backward to the front of the Protocol List.
Select 8, 15, 50, 100, or 200 from the list at the lower right of the Protocol List to configure
how many items per page you want to display.
For Protocol Lists that have more than one page, click a number from the bottom right
side of the main pane to go to a particular page of the trap list.
To query NTA for the most current Protocol List, click the Refresh button in the upper left
corner of the Protocol List.
NOTE: You can sort the Protocol List by the Protocol Name, Protocol Number, Enable, and
Pre-defined fields. Click the column label to sort the list by the selected field. The column label
allows you to toggle between the sort options specific to each field.
Querying the protocol list

To query the protocol list:
link.
3. In the upper left corner of the Application Management page, click the Protocol tab.
NTA displays all protocols in NTA in the Protocol List in the main pane of the Application
Management page.
48
4.
In the upper right corner of the Protocol List page, enter a partial or complete name of the
protocols to be queried in the query criteria field, and click the Query icon
the unmatched protocols.
to filter out
To filter protocols by using more query criteria, click the Advanced icon
to the right of the
query criteria field to expand the query criteria panel above the protocol list. Enter or select
one or more of the following query criteria:
5.
Protocol NameIn the Protocol Name field, enter a partial or complete name for the
protocols for which you want to search.
Protocol NumberIn the Protocol Number field, enter the number NTA has assigned to
the protocol (not the port number for the protocol).
EnableFrom the Enable list, select Yes to filter the list for all protocols that are enabled
for analysis and reporting. Select No to filter the list for all protocols that are disabled
from analysis and reporting. Select Not limited if you do not want to filter the list by
protocols that have been either enabled or disabled.
Pre-definedFrom the Pre-defined list, select Yes to filter for protocols that are predefined.
To filter for protocols that are user-defined, select No from the list. To include system or
predefined as well as user-defined protocols, select Not limited.

The results of your search appear on the Protocol List.
6.
When you have finished reviewing the results of your query, click Reset to restore the full
contents of the Protocol List.
Adding a protocol
To add a user-defined protocol to NTA:
1. From the top navigation bar, select Service > Traffic Analysis and Audit > Settings.
link.
NTA displays all protocols on the Protocol List in the main pane of the Application Management
page.
4.
Click Add.
The Add Protocol page appears.
5.
6.
In the Protocol Name field, enter the name for the protocol.
In the Protocol Number field, enter the number for the protocol.
NOTE: After you add a protocol, you cannot modify the Protocol Number. You can add a
new protocol with the revised protocol number.
7.
To enable statistical analysis and reporting for the selected protocol, select Yes from the Enable
list.
To disable statistical analysis and reporting for the selected protocol, select No from the Enable
list.
8.
Click OK to add the protocol.

After a protocol is added, NTA uses it to analyze and report on traffic data.
Modifying a protocol
To enable or disable the analysis and reporting of a protocol in NTA:
49
1.
2.
3.
Select Service > Traffic Analysis and Audit > Settings.

In the settings area of the Traffic Analysis and Audit page, click the Application Management
link.
In the upper left corner of the Application Management page, click the Protocol tab.
NTA displays all protocols in the Protocol List in the main pane of the Application Management
page.
4.
In the Modify field for the protocol you want to modify, click the icon
The Modify Protocol page appears.

5.
6.
7.
8.
In the Protocol Name field, modify the name for the protocol.
From the Enable list, select Yes to enable the statistical analysis and reporting for the selected
protocol.
From the Enable list, select No to disable the statistical analysis and reporting for the selected
protocol.
Click OK to accept your changes.
NTA begins analysis and reporting for the protocol that has been enabled. Reports for newly
enabled protocols become available after several data collection intervals.
Batch importing protocols

To import user-defined protocols to NTA in batches:
link.
page.
4.
Click Import.
The Import Protocol page appears.
5.
Click Browse button.

The Choose file dialog box appears.
6.
Choose the protocol definition file to be imported, and click Open.

IMC auto-populates Protocol File field with the file path and name.
7.
Click Upload File button.

NTA starts to resolute the file contents. The Import Protocol page is refreshed to display the
resolution result on the Protocol List.
Imported protocol list
Line NO.Number of the line that holds the protocol.
Protocol NameName of the protocol, which is defined by the first column of the file.
Protocol NumberProtocol number used by the protocol, which is defined by the second
column of the file.
EnableIndicates whether or not enable the statistical analysis and reporting for the
selected protocol, which is defined by the fourth column of the file.
StatusStatus of the protocol. After NTA finishes the resolution, the correct status of a
protocol is To be imported. If prompted wrong format, check the whether the imported
file has the required format.
Select 8, 15, 50, 100, or 200 from the list at the lower right of the Protocol List to configure
50
8.
Click Import to import protocols in batches.

If the import succeeds, the Status field on the Protocol List displays Successful. If the import
fails, the Status field displays the reason for the failure.
9.
Click Return to return to the Application Management page.
Deleting a protocol
To delete a user-defined protocol from NTA:
link.
page.
4.
for the protocol you want to delete.
NOTE: You can delete user-defined protocols only. You cannot delete system or predefined
protocols.
5.
Click OK to confirm the deletion of the selected protocol.

The Protocol List reflects the deletion of the selected protocol.
Managing application categories

Application Category management allows you to group similar applications into groups called
application categories. NTA then analyzes the network flow records it receives based on application
categories.
NTA provides many predefined application categories. In addition, you can create custom
application categories as well as modify or delete predefined application categories to meet your
specific needs.
Viewing the application category list

NTA displays all application categories in the Application Category List.
To view the application category list:
link.
51
3.
In the upper left corner of the Application Management page, click the Application Category
tab.
NTA displays all application categories in the Application Category List in the main pane of
the Application Management page.
Application category list contents
NameContains the name of the application category. This field is a link to the Application
Category Details page for more detailed information on the associated application
category including the list of applications contained in the category.
DescriptionContains a description for the associated application category.
TypeIdentifies application category. There are two types of categories that NTA supports:
Application and Protocol.
Pre-definedIdentifies whether or not the associated application category is system or

predefined or user-defined. A value of Yes in this field indicates that the associated
application category is system or predefined. A value of No in this field indicates that
the associated application category is user-defined.
category.
to the Modify page for modifying the associated application

for deleting the associated application category.
If the Application Category List contains enough entries, the following navigational aids appear.
Use the following tools to navigate the application category list.
Click
to page forward in the Application Category List.
Click
to page forward to the end of the Application Category List.
Click
to page backward in the Application Category List.
Click
to page backward to the front of the Application Category List.
Select 8, 15, 50, 100, or 200 from the list at the lower right of the Application Category
List to configure how many items per page you want to display.
For Application Category Lists that have more than one page, click 1, 2, 3, 4, 5, 6, 7,
8, 9, 10...from the bottom right side of the main pane to jump to a particular page of the
trap list.
To query NTA for the most current Application Category List, click the Refresh button in
the upper left corner of the Application Category List.
NOTE: You can sort the Application Category List by the Name, Description, Type, and
Pre-defined fields. Click the column label to sort the list by the selected field. The column label
allows you to toggle between the various sort options specific to each field.
Querying the application category list

To query the Application Category List:
link.
3. In the upper left corner of the Application Management page, click the Application Category
tab.
52
4.
In the upper right corner of the Application Category List page, enter a partial or complete
name of the application categories to be queried in the query criteria field, and click the
Query icon
5.
6.
to filter out the unmatched application categories.
To filter application categories by using more query criteria, click the Advanced icon
to
the right of the query criteria field to expand the query criteria panel above the application
category list. Enter or select one or more of the following query criteria:
NameEnter a partial or complete name for the application category you want to search
for in the Name field.
Pre-definedTo filter for application categories that are predefined, select Yes from the
Pre-defined list. To filter for application categories that are user-defined, select No from
the list. To include system or predefined as well as user-defined application categories,
select Not limited.

The results of your search are displayed the Application Category List below the Query
Application Categories section of the Application Management page.
7.
When you finish reviewing the results of your query, click Reset to restore the full contents of
the Application Category List.
Adding an application category

You can create custom or user-defined application categories. This allows you to group one or
more applications or protocols together into a single category. NTA then combines and provides
summarized statistical analysis and reporting for all applications or protocols in the category.
To add an application category:
link.
tab.
NTA displays all application categories on the Application Category List displayed in the main
pane of the Application Management page.
4.
Click Add.
The Add Application Category page appears.
5.
6.
7.
In the Name field, enter a name for the application category.

In the Description field, enter a brief description for the application category.
From the Type list, select the type of application category you want to create.
Options are:
ApplicationSelect this option if you want to create an application category that includes
any of the layer 4 or layer 7 system or user-defined applications.
ProtocolSelect this option if you want to create an application category that includes
any of network and other protocols in NTA.
8. If you selected Application from the Type menu, go to step 13.

9. If you selected Protocol from the Type menu, skip to step 14.
10. To add one or more applications to the category, click the Add button to the right of the
Application List field.
The Query Applications dialog box displays an empty Application List in the lower portion of
the dialog box.
53
To select applications to add to your category, you must first query the Application List. To do
so:
a. In the Query Applications section of the dialog box, enter one or more of the following
search criteria:
b.
ApplicationEnter a partial or complete name for the application or applications

you want to search for in the Application field.
Pre-definedTo search for applications that are predefined, select Yes from the
Pre-defined list. To filter for applications that are user-defined, select No from the list.
To include system or predefined as well as user-defined applications, select Not
limited.
To display the full Application List, click Query without entering any search criteria.
The results of this query are displayed in the Application List displayed below the Query
Applications section. If the application you want to add does not exist in the Application
List, you can add it as a user-defined application. For more information about adding
applications to NTA, see Managing applications.
c.

The results of your query are displayed in the Application List displayed below the Query
Applications section.
d.
e.
Click the checkboxes next to the application definitions you want to add to the application
category.
Click OK to add the applications to the application category you want to create.
If you selected Protocol as the application category type in step 10, you need to select the
protocols to add to the application category. You can add one or more protocols to the
category.
11. To the right of the Application List field, click the Add button.
The Query Applications dialog box appears and an empty Protocol List appears in the lower
portion of the dialog box.
To populate this list in order to select protocols to add to your category, you must first query
the Protocol List. To do so:
a. In the Query Protocols section of the dialog box, enter one or more of the following search
criteria:
b.
ProtocolEnter a partial or complete name for the protocols you want to search for
in the Protocol field.
Pre-definedTo search for protocols that are predefined, select Yes from the
Pre-defined list. To filter for protocols that are user-defined, select No from the list.
To include system or predefined as well as user-defined protocols, select Not limited.
To display the full Protocol List, click Query without entering any search criteria.
The results of this query appear on the Protocol List below the Query Protocols section.
c.

The results of your query appear in the Protocol List below the Query Protocols section.
d.
e.
Click the checkboxes next to the protocols you want to add to the application category.
Click OK to add the protocols to the application category you want to create.
12. Click OK to create the application category.
Modifying an application category

To modify an application category:
54
2.
3.
In the Settings area of the Traffic Analysis and Audit page, click the Application Management
link.
In the upper left corner of the Application Management page, click the Application Category
tab.
4.
for the application category you want to modify.
The Modify Application Category page appears.

5.
6.
In the Name field, modify the name for the application category.
In the Description field, modify the description for the application category.
NOTE: After you create the application category Type, you cannot modify it. You can create
a new definition with a revised Type.
If the application category type is Application, you can add or remove applications from the
category.
7.
To add applications, click the Add button next to the Application List field.
The Query Applications dialog box is displays an empty Application List in the lower portion
of the dialog box.
To select applications to add to your category, you must first query the Application List. To do
so:
search criteria:
b.
ApplicationEnter a partial or complete name for the applications you want to

search for in the Application field.
Pre-DefinedFrom the Pre-defined list, click Yes to search for applications that are
predefined. To filter for applications that are user-defined, select No from the list. To
include system or predefined as well as user-defined applications, select Not limited.
The results of this query are displayed in the Application List displayed below the Query
Applications section. If the application you want to add does not exist in the Application
List, you can add it as a user-defined application. For more information about adding
c.

The results of your query appear in the Application List appear below the Query
d.
e.
f.
g.
h.
Next to the applications you want to add to the application category, click the checkboxes.
Click OK to add the applications to the application category you want to create.
To delete an application from the list, highlight the applications you want to delete.
To the right of the Application List field, click Delete.
Click OK to confirm the deletion of the selected applications.
If the application category type is Protocol, you can add or remove one or more protocols
from the category.
8.
On the right of the Application List field, click the Add button to add one or more protocols.
The Query Applications dialog box appears and an empty Protocol List appears in the lower
portion of the dialog box.
55
To populate this list in order to select protocols to add to your category, you must first query
the Protocol List. To do so:
a. In the Query Protocols section of the dialog box, enter one or more of the following search
criteria:
b.
Pre-DefinedFrom the Pre-defined list, click Yes to search for protocols that are
predefined. To filter for protocols that are user-defined, select No from the list. To
include system or predefined as well as user-defined protocols, select Not limited.
The results of this query appear on the Protocol List below the Query Protocols section.
c.

d.
e.
f.
g.
h.
9.
Next to the protocols you want to add to the application category, click the checkboxes.
Click OK to add the protocols to the application category you want to create.
To delete a protocol from the list, highlight the protocols you want to delete.
On the right of the Application List field, click Delete.
Click OK to confirm the deletion of the selected protocols.
Click OK to accept your modifications to the application category.
Deleting an application category

You can delete predefined and user-defined application categories. Deleting an application category
from NTA does not delete the data for the associated application category. The data for all deleted
application categories are retained in the database in accordance with the NTA server configuration.
To delete an application category:
link.
tab.
4.
5.
In the Delete field for the application category you want to delete, click the icon
Click OK to confirm the deletion of the selected application category.
The Application Category List will update to reflect the deletion of the selected application
category.
Configuring NTA traffic analysis parameters

You can configure and tune many of the configuration parameters that define how data is analyzed
and presented in NTA. This section explores the parameters that can be configured by an NTA
administrator and the configuration.
Basic and advanced settings

To view and configure NTA basic and advanced configuration parameters:
56
2.
In the Settings area of the Traffic Analysis and Audit page, click the Parameters link.
NTA displays the configurable parameters in the main pane of the Parameter Management
page.
3.
To configure basic settings:
Report TopNEnter the number of entries you want analyzed and reported on for all
TopN reports in the Report TopN field. The range for TopN entries is 1-50. After completing
the configuration, click OK to the right of the parameter to make the configuration take
effect.
Log LifetimeEnter the number of days you want to retain NTA logs in the Log Lifetime
field. The range for retaining logs is 1 to 1,825 days (5 years). If you enable the data
export function, the logs whose log lifetime expires are exported from the database to
an external file. An operator can use the log auditing tool to audit the traffic data of the
exported file.
After completing the configuration, click OK to the right of the parameter to make the
configuration take effect.
Exported File LifetimeEnter the lifetime of the file to which the logs are exported. The
lifetime of an exported file is the current time minus the time of logs in the file. It is set to
90 days by default. After completing the configuration, click OK to the right of the
parameter to make the configuration take effect.
Configuring NTA traffic analysis parameters
57
4.
To configure advanced settings:
Max. Displayed Entries for AuditNTA enables you to search the original data source
logs for traffic data containing specific ports and source and destination hosts for a
specific time period. You can configure how many results NTA displays for a given search
or audit in the Max. Displayed Entries for Audit parameter. Enter the number of
search/audit results you want NTA to display in this field. The valid range of entries is 1
to 100,000. After completing the configuration, click OK to the right of the parameter to
make the configuration take effect.
Unknown Application Traffic AnalysisNTA enables you to decide if NTA will analyze
and report on applications that are unknown to NTA. Selecting Enable from the Unknown
Application Traffic Analysis list will direct NTA to process and report on all applications
that it cannot identify and label them as Unknown Application. If you select Disable,
NTA will discard any traffic for which it cannot identify the application. After completing
effect.
NOTE: You can also add applications in NTA using Layer 4 TCP or UDP port number,
or using Layer 7 regular expression pattern matching to identify applications that do not
exist in NTA. For more information on adding applications, see Managing applications.
Host Session MonitorThe Host Session Monitor instructs NTA to process flow records
on a host session basis. When you enable this feature, NTA will create a Sessions link
located on the Traffic Analysis and Audit left navigation tree. This link contains reports
for TopN Session host statistics with drilldown capabilities to detailed session statistics
for an individual host. Select Enable if you want to view TopN and individual host session
statistics. Select Disable if you do not want to process and view host session statistics.
After completing the configuration, click OK to the right of the parameter to make the
ToS/MPLS Exp Traffic AnalysisNTA provides statistical analysis and reporting of traffic
based on Type of Service or MPLS Exp. To enable ToS or MPLS Exp analysis and reporting,
select Enable from the ToS/MPLS Exp Traffic Analysis list. After completing the
configuration, click OK to the right of the parameter to make the configuration take effect.
Baseline AnalysisThe Baseline Analysis feature provides an additional layer of analysis

to NTA reports by including baseline trend data after data has been collected for a
minimum of one week. If this option is enabled and sufficient data is available, a green
trend line is displayed in the Traffic Trend graphs that represent baseline data
approximately seven days after this feature is enabled. Baseline data provides a useful
comparison against current data to identify anomalies. Select Enable to include baseline
analysis in NTA reports. Select Disable if you do not want to include baseline analysis
in NTA reports. After completing the configuration, click OK to the right of the parameter
to make the configuration take effect.
NOTE: The baseline trend line is displayed seven days after the Baseline Analysis feature
has been enabled.
Threshold AlarmThe Threshold Alarm option allows you to configure alarm thresholds
for the interface traffic analysis task, inter-business traffic analysis task, and host connection
number. When the traffic or the number of host sessions exceeds the defined thresholds,
an alarm notification is sent. Select Enable to add alarm notifications. Select Disable if
you do not want to add alarm notifications. After completing the configuration, click OK
to the right of the parameter to make the configuration take effect.
NOTE: The Threshold Alarm option applies to all tasks globally. The options to configure
thresholds are displayed when the interface traffic analysis task or inter-business traffic
58
analysis task is added or modified for those tasks that support thresholds. When you
enable Host Session Monitor feature, you can define thresholds for the number host
sessions.
VPN Flux Detail AnalysisThe VPN Flux Detail Analysis option enables you to view traffic
statistics for the interfaces in a VPN instance. Select Enable to view traffic for individual
interfaces in a VPN instance. Select Disable if you want to view traffic statistics summarized
for the VPN instance as a whole. After completing the configuration, click OK to the right
of the parameter to make the configuration take effect.
Peak Traffic AnalysisThe Peak Traffic Analysis option enables you to view the peak
rates of traffic analysis tasks and interfaces. Select Enable to view the peak rates of traffic
analysis tasks and interfaces. Select Disable if you do not want to view the peak rates of
traffic analysis tasks and interfaces. If you enable the Peak Traffic Analysis feature and
select a time range in the Query Time of the Traffic Query section that is a minimum of 6
hours earlier than the current time, NTA displays the Peak Rate chart next to the Traffic
Trend chart. After completing the configuration, click OK to the right of the parameter to
make the configuration take effect.
Real Time TrafficThe Real Time Traffic option enables NTA to automatically send query
packets to obtain traffic statistics. This function can reduce the time delay caused by
passively waiting for the traffic statistics packets. Select Enable if you want to use the Real
Time Traffic function. Select Disable if you do not want to use this function. After completing
effect.
NTA Conversation Aggregation TopNThe NTA Conversation Aggregation TopN option

specifies whether to aggregate the TopN sessions. By default, NTA aggregates all sessions.
With this feature enabled, NTA aggregates only information of the topN sessions by
traffic. Information of other sessions is dropped. After completing the configuration, click
OK to the right of the parameter to make the configuration take effect.
TopN NTA Conversations for AggregationThe TopN NTA Conversations for Aggregation
option specifies the TopN value for the NTA Conversation Aggregation TopN field. After
completing the configuration, click OK to the right of the parameter to make the
Using NTA filtering strategies

NTA is a NetStream v5/v9, NetFlow v5/v9 and sFlow v5 collection server, and is a centralized
data collector and analyzer for devices that forward network flow records to it. Filter strategies in
NTA enable you to define whether network flow records or the log packets that NTA receives are
processed and analyzed by NTA or discarded. You can choose to process and analyze or discard
packets based on their source or destination IP address, source or destination layer 4 port number.
You can also process or discard TCP, UDP, or ICMP traffic. Otherwise, you can analyze or discard
traffic based on one or more combinations of source and destination IP address, port number and
protocol.
Filter strategies consist of a name, description and default filter policy as well as one or more filter
conditions. There are two types of filter policies: the Discard filter, which discards any packet that
matches the filter conditions, and the Receive filter, which processes and reports on any packet
that matches the filter conditions. The Default Policy defines how log packets are treated by default
when the conditions of the packet do not match any of the filter conditions in the filter strategy.
A filter condition is a rule that defines the conditions under which log packets either are processed
and analyzed or discarded. A filter strategy can have many filter conditions, but every filter strategy
must have at least one filter condition. In addition, at least one of the filter conditions must contain
a filter policy that does not match the default filter policy.
59
NTA provides you the ability to tune very specifically which NetStream, NetFlow, or sFlow packets
are processed and which are discarded. You can filter by IP address as well as by port and
protocol. In addition, you can create multiple filter conditions for every filter strategy. And, every
NTA server supports an unlimited number of filter strategies. For example, you can create filter
strategies for every device or every VPN on every device that forwards NetStream, NetFlow, or
sFlow traffic to NTA. Otherwise, you can create filter strategies by port number or traffic type
across all devices that forward flow traffic to NTA. For example, you can create a simple filter that
discards all ICMP traffic from NTA analysis and reporting.
This section explores NTA filtering features.
Viewing the filter list

To view the Filter Strategy List:
2. In the Settings area of the Traffic Analysis and Audit page, click the Filter Strategy link.
NTA displays all filter strategies in the Filter Strategy List in the main pane of the Filter Strategy
Management page.
Filter strategy list contents
3.
NameContains the name for the associated filter strategy. The contents of this field link
to the Filter Strategy Details for the associated filter strategy.
DescriptionContains a description for the associated filter strategy.
to the Modify page for modifying the associated filter strategy.

for deleting the associated filter strategy.
To query NTA for the current Filter Strategy List, click the Refresh button in the upper left corner
of the Filter Strategy List.
NOTE: You can sort the Filter Strategy List by the Name and Description fields. Click the
column label to sort the list by the selected field. The column label allows you to toggle between
Viewing the filter condition list

Every filter strategy includes a filter condition list that contains all of the filters for the associated
filter strategy. From this list, you can view the configuration parameters of a filter condition as well
as sort and delete filter conditions.
To view the filter condition list:
Management page.
60
3.

list.
for the filter strategy for which you want to view the filter conditions
The Modify Filter Strategy page displays the Filter Condition List in the lower half of the screen.
Filter strategy list contents
PriorityContains priority of the filter condition relative to the other filter conditions in
the list.
PolicyContains the filter condition type for the associated filter. There are two types of
filter policies: the Discard filter, which discards any packet that matches the filter conditions
and the Receive filter that processes and reports on any packet that matches the filter
conditions.
Source HostContains the IP address, if any, that is used to match the IP address contents
of all IP packets processed by this filter condition.
Source PortContains the layer 4 port number that is used to match the source port
contents of all IP packets processed by this filter condition.
Destination HostContains the IP address, if any that is used to match the destination IP
address contents of all IP packets processed by this filter condition.
Destination PortContains the layer 4 port number that is used to match the destination
port contents of all IP packets processed by this filter condition.
ProtocolIdentifies the IP protocol for the associated filter condition. NTA supports TCP,
UDP, ICMP and IPv6 ICMP protocols only.
SortContains the
Move UP and
conditions in the filter list.
for deleting the associated filter condition.

Move Down buttons for re-ordering the filter
Adding a filter strategy

To add a filter strategy:
Management page.
3.
Click Add.
The Add Filter Strategy page appears.
4.
In the Name field, enter a name for this filter strategy.

The filter strategy name must be unique.
5.
In the Description field, enter a brief description for this filter strategy.
Every filter strategy has a default filter policy as well as filter policies defined for every filter
condition.
NTA provides two types of default filters: the default discard filter that discards any packet
that does not match the filter condition list and the default receive filter that processes and
reports on any packet that does not match the filter condition list. To use the default discard
filter policy for the filter strategy, select Discard from the Default Policy list. To use the default
receive filter policy for the filter strategy, select Receive from the list.
6.
At the top of the filter condition list, click the Add button to add a filter condition.
The Filter Condition Configuration dialog box appears. You must add at least one filter condition
to a filter strategy.
61
NTA supports two types of filters for each filter condition: the discard filter, which discards
any packet that matches the filter conditions specified, and the receive filter that processes
and reports on any packet that matches the filter conditions.
7.
Select Discard from the Policy list if you want NTA to discard any packet that matches the
specified filter conditions.
Select Receive from the list if you want NTA to process and include in reporting any packet
that matches the filter conditions.
NOTE: At least one of the filter conditions you create must differ in policy from the Default
Policy. For example, if you set Receive all packets as the default policy for the filter strategy,
then you must create at least one filter condition that has Discard as its filter policy.
8.
Enter the IP or IPv6 address and subnet mask, if any, which are used to match the Source IP
address contents of all IP packets processed by this filter condition. This field is optional.
Leaving this field blank directs NTA not to filter any packet by source address.
This field is optional and leaving this field blank directs NTA not to filter any packet by source
address.
An IP address or an IP address and subnet mask for a range can be entered in dotted decimal
notation or CIDR notation, using a backward slash (/) to separate the IP address from the
subnet mask.
An example of a valid IP address entry:
10.153.89.10
An example of a valid network/subnet mask in dotted decimal notation:

10.153.89.0/255.255.255.0
A valid network/subnet mask entry using CIDR notation:

10.153.89.0/24
An example of a valid IPv6 address entry:

a001:410:0:1::1
A valid IPv6 address and subnet mask using CIDR notation:

a001:410:0:1::1/64
9.
Enter the layer 4 port number, if any that is used to match the source port contents of all IP
packets processed by this filter condition.
port number.
10. Enter the IP or IPv6 address, if any that is used to match the destination IP address contents
of all IP packets processed by this filter condition.
This field is optional and leaving this field blank directs NTA not to filter any packet by
destination address.
An IP address and subnet mask can be entered in dotted decimal notation or CIDR notation,
using a backward slash (/) to separate the IP address from the subnet mask.
10.153.89.10

10.153.89.0/255.255.255.0

10.153.89.0/24

a001:410:0:1::1
62

a001:410:0:1::1/64
11. Enter the layer 4 port number, if any that is used to match the destination port contents of all
IP packets processed by this filter condition.
destination port number.
12. To select a protocol to apply to this filter condition, highlight the protocol you want to use from
the Protocol list.
Options are TCP, UDP, ICMP and IPv6 ICMP.
13. Click OK to create the filter condition.
14. Repeat steps 11-14 to add more conditions.
NTA prioritizes the processing of filter conditions based on their order of appearance in the
Filter Condition List. In addition, NTA applies filter conditions on a first match first serve basis
for all filter conditions. Filter conditions are matched based on the order of appearance in the
filter condition list and filter conditions are applied from up to down. If a filter condition is
matched, the data is processed according to the matched filter condition without applying the
remaining filter conditions. If no filter condition is matched, the default policy is applied.
15. To re-prioritize the filter conditions in the Filter Condition List, do one of the following:
In the Sort field associated with the filter condition you want to move up in the list, click
the
icon.
In the Sort field associated with the filter condition you want to move down in the list,
click the
icon.
16. Click OK to create the filter strategy.

Once a filter strategy has been created, you can apply it to one or more of the NTA servers
listed in the NTA Server List under Server Management. For more information about adding
a filter strategy to an NTA server, see Modifying an NTA server configuration.
Modifying a filter strategy

To modify a filter strategy:
Management page.
3.
In the Modify field associated with the filter strategy you want to modify, click the icon
The Modify Filter Strategy page appears.

4.
In the Name field, modify the name of this filter strategy.

The filter strategy name must be unique.
5.
In the Description field, modify the description for this filter strategy.
Every filter strategy has a default filter policy and filter policies defined for every filter condition.
NTA provides two types of default filters: the default Discard filter that discards any packet
that does not match the filter condition list, and the default Receive filter that processes and
reports on any packet that does not match the filter condition list. To use the default discard
filter policy for the filter strategy, select Discard from the Default Policy list. To use the default
receive filter policy for the filter strategy, select Receive from the list.
63
NOTE: If you change the Default Policy, at least one of your filter conditions must not contain
the same policy type as the Default Policy you have configured for the filter strategy. If you
modified the Default Policy from Receive to Discard, then you must have at least one filter
condition that has Receive as its filter policy.
6.
To add a filter condition to the existing filter condition list, click the Add button at the top of
the filter condition list.
You must have at least one filter condition for a filter strategy.
The Filter Condition Configuration dialog box appears.
NTA supports two types of filters for each filter condition: the Discard filter, which discards
any packet that matches the filter conditions specified, and the Receive filter that processes
and reports on any packet that matches the filter conditions.
7.
To discard any packet that matches the specified filter conditions, select Discard from the Policy
list.
To process and include in reporting any packet that matches the filter conditions, select Receive
from the list.
NOTE: At least one of the filter conditions you create must differ in policy from the Default
Policy. For example, if you set Receive all packets as the default policy for the filter strategy,
then you must create at least one filter condition that has Discard as its filter Policy.
8.
Enter the IP address and subnet mask, if any, which will be used to match the source IP address
contents of all IP packets processed by this filter condition. This field is optional and leaving
this field blank directs NTA not to filter any packet by source address.
address.
10.153.89.10

10.153.89.0/255.255.255.0

10.153.89.0/24

a001:410:0:1::1

a001:410:0:1::1/64
9.
Enter the layer 4 port number, if any, used to match the source port contents of all IP packets
processed by this filter condition.
port number.
10. Enter the IP address, if any, used to match the destination IP address contents of all IP packets
processed by this filter condition.
destination address.
64

10.153.89.10

10.153.89.0/255.255.255.0

10.153.89.0/24

a001:410:0:1::1

a001:410:0:1::1/64
11. Enter the layer 4 port number, if any, used to match the destination port contents of all IP
packets processed by this filter condition.
destination port number.
12. From the Protocol list, highlight the protocol you want to use to select a protocol to apply to
this filter condition.
Options are TCP, UDP, ICMP and IPv6 ICMP.
13. Click OK to create the filter condition.
Repeat steps 11-14 to add more conditions.
NTA prioritizes the processing of filter conditions based on their order of appearance in the
Filter Condition List. In addition, NTA applies filter conditions on a first match first serve basis
for all filter conditions. Filter conditions are matched based on the order of appearance in the
filter condition list and filter conditions are applied from up to down. If a filter condition is
matched, the data is processed according to the matched filter condition without applying the
remaining filter conditions. If no filter condition is matched, the default policy is applied.
14. Do one of the following:
In the sort field associated with the filter condition you want to move up in the list, click
the
icon to re-prioritize the filter conditions in the Filter Condition List.
In the sort field associated with the filter condition you want to move down in the list, click
the
icon to re-prioritize the filter conditions in the Filter Condition List.
15. In the Delete field associated with the filter condition you want to delete, click the
delete a filter condition.
16. Click OK to accept your changes to the filter strategy.
icon to
Deleting a filter strategy

To delete a filter strategy:
Management page.
3.
4.
In the Delete field associated with the filter strategy you want to delete, click the icon
Click OK to confirm the deletion of the filter strategy.
65
Database space management

The NTA Database Space feature provides current NTA database disk usage and usage trend
statistics over the last twenty-four hours. Otherwise, you can query NTA for usage trends for the
last 7, 30 days, or 3 months or for a user-defined time range. This feature, when combined with
the threshold and action parameters (Usage Threshold of the Database Disk and When Database
Disk Usage Reaches Threshold, respectively) of an NTA server configuration, enables you to
proactively manage disk space usage and ensure adequate disk space for uninterrupted NTA
functioning.
The granularity of the database space usage information varies with the span of the query time.
The longer the time span of the query, the coarser the granularity. The shorter the time span of the
query, the finer the granularity. The finest granularity is 10 minutes. When the NTA service module
and database are installed separately, this feature is not available.
This section explores the Database Space feature for viewing current NTA database disk space
usage. For information on viewing and configuring the database threshold and action settings,
see Managing NTA servers.
Viewing database current usage statistics

To view the NTA current disk space usage:
2. In the Settings area of the Traffic Analysis and Audit page, click the Database Space link.
NTA displays all file and disk space usage statistics in the Database Space Usage list in the
main pane of the Database Space Usage page.
Database space usage contents
platform. The contents of this field are a link for viewing more detailed usage statistics
for the associated server.
Server DescriptionContains a description for the associated NTA server.
Data File UsageContains the most current percent consumption of all available data
files for the associated server. You can access more detailed statistics by clicking the link
in the Server Name field.
Disk UsageContains the current percent consumption of all available disk space allocated
for the associated server.
Viewing database usage trend statistics

NTA enables you to view the NTA database usage over time.
To view the NTA disk space usage trends:
2. In the Settings area of the Traffic Analysis and Audit page, click the Database Space link.
NTA displays all file and disk space usage statistics in the Database Space Usage list displayed
in the main pane of the Database Space Usage page.
3.
Click the contents of the Server Name field for the NTA server for which you want to view
statistics.
The database usage trends for the associated server are displayed.
By default, a graphical representation of database disk space usage over the last twenty-four
hours appears in the Database Space Usage Trend graph.
In addition, NTA displays the tabular data for usage trends over the last twenty-four hours in
the lower half of the page.
66
From the Time list in the Query Database Space Usages section of the page, select the time
range for which you want to view database usage statistics to change the time range for this
graph and table. Options are Last 24 hours, Last 7 days, Last 30 days, Last 3 months, and
Custom.
4.
5.
6.
To enter a user-defined time range, select Custom from the Time list.
Start TimeTo autopopulate this field, click the calendar icon

. A popup calendar
appears. Select the start date and time from the calendar. Adjust the hour and minute
values through the slide bars.
End TimeTo autopopulate this field, click the calendar icon

. A popup calendar
appears. Select the end date from the calendar. Adjust the hour and minute values through
the slide bars.
Click Query. The page displays the result of your query.

Click Reset when you have finished reviewing the results of your query, and to return the page
to its default twenty-four hour usage trend view.
Data export
The data export feature of NTA allows the NTA server to export the traffic data in the database
to the external data files. An operator can use the auditing tool provided by NTA to audit the
network traffic data in the data files. A data file can be saved on a server for up to 90 days, and
is deleted automatically after 90 days.
After you enable data export, either log lifetime or data space alarm can trigger data export.
Log LifetimeNTA checks the lifetime of each log in the database at around 3:00 every day.
A log whose lifetime expires is exported to a data file. The data export triggering condition
always takes effect, regardless of whether data export is enabled. The log lifetime is set in
the NTA system parameters. For information about modifying the log lifetime, see Configuring
NTA traffic analysis parameters.
Data space alarmWith the Trigger Data Export by Data Space Alarm option selected, when
the data space alarms occur, the NTA server automatically exports the oldest data day by
day until the data space alarms are eliminated. The data space alarms are generated based
on the data file usage and the usage of the disk where the database resides. An operator can
modify the threshold for the usage of the disk where the database resides. For information
about modifying the threshold, see Managing NTA servers.
NTA can export only the data of IPv4 traffic, and cannot export the data of IPv6 traffic. The data
of IPv6 traffic can only be deleted according to the triggering conditions.
Viewing the data export config list

To view the data export config list:
Data export
67
Select Service > Traffic Analysis and Audit > Data Export.
The Data Export Config List appears in the main pane of the Data Export page.
Data Export Config List
platform.
Server IPContains the IP address of the NTA server. By default, this contains the loopback
platform.
StatusThis field indicates whether data export is enabled for the NTA server. Options
are Enabled and Disabled.
Last Time of ExportLast time when the NTA server exported data.
Data Export LogContains a link

to the Data Export Log page for viewing the data
export logs of the related NTA server.
related NTA server.
to the Modify page for the data export configuration of the
Querying the data export logs

To query the data export logs:
1. Select Service > Traffic Analysis and Audit > Data Export.
2.
To view the data export logs of an NTA server, click the Data Export Log icon
Data Export Log List
3.
Date of Exported DataDate when the exported data is generated.
Table NameExported table name of the database.
File NameName of the exported file.
Exported TimeTime when the data export is performed.
CountNumber of entries in the exported file.
Export ResultResult of the export.
Enter one or more of the following search criteria:
4.
Date of Exported DataEnter the time range for the data export logs. Enter the start time
in the From field and enter the end time in the To field in the format of YYYY-MM-DD. Or,
click the input boxes and manually select the start time and end time on calendar that
appears.
Click Query to view the data export logs matching the criteria. Click Reset to clear all query
criteria.
Modifying the data export configuration

To modify the data export configuration:
1. Select Service > Traffic Analysis and Audit > Data Export.
2.
68
3.
Select the Enable Data Export option to enable the data export function.
After you enable the data export function, you can configure the Trigger Data Export by Data
Space Alarm and Path of Exported File parameters.
If you do not select the Trigger Data Export by Data Space Alarm option, the NTA server can
export data according to only the log lifetime. With the Trigger Data Export by Data Space
Alarm option selected, when the data space alarms occur, the NTA server automatically
exports the oldest data day by day until the data space alarms are eliminated.
4.
5.
Enter the absolute path of the exported file on the NTA server.
Click OK to complete modifying the data export configuration.
Auditing the exported data

NTA provides an auditing tool. An operator can use the log auditing tool to audit the traffic data
of the exported file. The auditing tool depends on JRE. To guarantee the normal operation of the
auditing tool, make sure you have downloaded the latest JRE.
To audit the exported data:
1. From the top navigation bar, select Service > Traffic Analysis and Audit > Data Export.
2.
Click Log File Audit to download and start the auditing tool.
The auditing tool can perform only general audit for the exported data. Use the auditing tool
in the same way as you use the auditing tool of UBA. For information about using an auditing
tool, see HP IMC User Behavior Auditor Administrator Guide.
Anomaly detection management

NTA collects statistics on traffic flow records and compares the statistics with the thresholds in the
anomaly detection templates. If a threshold is crossed, NTA issues an alarm.
NTA has a series of predefined anomaly detection templates. You cannot add or delete templates,
but you can modify them.
The anomaly detection templates fall into two categories: templates that use the same parameters
and templates that use anomaly type-specific parameters.
The following templates use the same parameters:
TCP Null Scan
TCP Fin Scan
TCP Syn Fin Scan
TCP Xmas Scan
UDP Bomb Attack
Snork Attack
UDP Flood Attack
Invalid ToS
Land Attack
Invalid IP Protocol
Corrupt IP Option
Time Stamp IP Option
Source Route IP Option
Record Route IP Option
Security IP Option
Stream ID IP Option
Fragmented ICMP Packet
ICMP Redirects
ICMP Destination Unreachable
ICMP Request Excess
ICMP Reply Excess
ICMP Source Quench
ICMP Parameter Problem
ICMP Time Exceeded
The following templates use anomaly type-specific parameters:
DNS Rogue Hack
Ping of Death Attack

69
Large ICMP Packet
DHCP Offer Packet
Viewing the anomaly detection list

To view the anomaly detection list:
2. In the Settings area of the Traffic Analysis and Audit page, click the Anomaly Detection link.
NTA displays Anomaly Detection List and Basic Configuration in the Anomaly Detection page.
3.
Modify the basic configuration for anomaly detection:
Time WindowSelects the time window mode for generating anomaly alarms:
Fixed Time WindowSelect this option to take time as a series of fixed-length time
windows. Anomaly detection generates only one alarm within every time window
duration.
Sliding Time WindowSelect this option to use sliding time windows. The start point
of a sliding time window is the time when the last anomaly alarm was generated.
Once an alarm is generated, anomaly detection does not generate another alarm
for the same attack within the specified time window duration.
To place your selection into effect, click the OK button to the right of the parameter.
4.
Window SizeSets the size of the time window, in the range of 1 to 10 minutes. To place
the setting into effect, click the OK button to the right of the parameter.
View the Anomaly Detection List:
NameAnomaly that NTA can detect.
DescriptionDescription of the anomaly, name of the anomaly detection template.
ThresholdAnomaly threshold. When this threshold is crossed, an alarm is sent.
Alarm LevelLevel of the alarm, Emergency by default.
EnableWhether anomaly detection is enabled for the item.
ModifyTo modify the anomaly detection template, click the
icon.
Modifying an anomaly template that uses the common parameters

The methods for modifying anomaly templates that uses the common parameters are the same.
The following shows the procedure for modifying the TCP Fin Scan template.
To modify the TCP Fin Scan template:
2. In the Settings area of the Traffic Analysis and Audit page, click the Anomaly Detection link.
NTA displays Anomaly Detection List and Basic Configuration in the Anomaly Detection page.
3.
for TCP Fin Scan.
The Modify Anomaly Detection page appears. The name and description settings cannot be
changed.
4.
Adjust the alarm threshold.

NTA issues an alarm when the number of detected TCP FIN Scan packets reaches or exceeds
the threshold.
5.
6.
70
Select an alarm level. Options are Emergency, Major, Minor, Warning, and Notice.
Select whether to enable anomaly detection for TCP FIN Scan packets.
7.
Click OK.
Modifying an anomaly template that uses anomaly type-specific parameters

This section describes all anomaly templates that use anomaly type-specific parameters. These
templates use their respective specific parameters in addition to the common parameters.
DNS Rogue Hack

NTA uses the IP addresses of valid DNS servers to determine which packets are from valid DNS
servers. The DNS Rogue Hack template uses one specific parameter:
Host IPEnter the IP address and, optionally, the network mask of a valid DNS server in this
field and click Add to add an entry to the Host IP List.
The Host IP List displays the IP addresses of all valid DNS servers. To remove a DNS server from
the list, select its IP address and click Delete.

NTA determines whether a ping packet is valid based on its size. The Ping of Death Attack template
uses one specific parameter:
Packet SizeEnter the size threshold for ping packets.
If the size of a ping packet exceeds the threshold, NTA considers a Ping of Death attack occurred
and issues an alarm.
Large ICMP Packet

NTA determines whether an ICMP packet is valid based on its size. The Large ICMP Packet template
uses one specific parameter:
Packet SizeEnter the size threshold for ICMP packets.
If the size of an ICMP packet exceeds the threshold, NTA considers a Large ICMP Packet anomaly
occurred.
DHCP Offer Packet

NTA uses the IP addresses of valid DHCP servers to determine which packets are from valid DHCP
servers. The DHCP Offer Packet template uses the following specific parameters:
Host IPEnter the IP address and, optionally, the network mask of a valid DHCP server in this
field and click Add to add an entry to the Host IP List.
The Host IP List displays the IP addresses of all valid DHCP servers. To remove a DHCP server
from the list, select its IP address and click Delete.
Monitor DateSelect the days for DHCP packet monitoring. Options are:
Monday
Tuesday
Wednesday
Thursday
Friday
71
72
Saturday
Sunday
Start Time/End TimeEnter the monitoring time range during the monitoring day, in the format
hh:mm.
3 Host session monitoring

This chapter provides you with information on Host Session Monitoring in NTA, beginning with
how NTA analyzes network flow records to report on network traffic from host session perspective.
This chapter looks at the reporting options for host session monitoring and reviews configuration
issues around host session monitoring and the reports they generate. This chapter concludes with
a survey of the summary reports for all NTA servers as well as a look at the more granular reports
for the devices configured in NTA server.
Host session monitoring overview

NTA analyzes network flow data for host sessions. Devices configured on an NTA server send
flow data to the server. The NTA server parses the flow data and provides statistics on device host
sessions and NTA server sessions. NTA then generates an NTA host session report according to
the statistical data of all NTA servers. NTA allows you to set threshold alarms for host sessions. If
you want to generate alarms based on the data collected by devices configured on NTA servers,
set the threshold alarm function in the device host sessions monitor. By setting the threshold alarm
parameters, you can quickly identify the hosts that have an abnormal number of connections on
the network.
Host session monitoring reporting

After you enable the Host Session Monitor feature in the NTA traffic analysis parameters, NTA
creates a Sessions entry under the Traffic Analysis and Audit section of the left navigation tree.
Click the Sessions link to view the host session report of all NTA servers.
To view the host session report of a single NTA server, move your mouse pointer to the shortcut
menu icon
to the right of the Sessions link. The Sessions shortcut menu appears to display the
names of all NTA servers. Click the link for a name to view the host session report of a single NTA
server.
To view the host session report of a device attached to an NTA server, click the Expand icon
next to an NTA server on the shortcut menu to display the devices which send traffic statistics
packets to the NTA server. Click the device name link for a device to view the host session report
of a single device.
Host session monitoring configuration considerations

Host session monitoring is a global configuration. By default, NTA does not provide statistics on
host sessions. Therefore, you must enable this feature in the NTA traffic analysis parameters. For
instructions, see Configuring NTA traffic analysis parameters.
You must enable network flow data on the devices you want to monitor and report on using NTA.
Managing host session monitoring

After host session monitoring is enabled, NTA can process, analyze, and report on network flow
data. This section explains how to set threshold alarm parameters for host sessions in NTA.
Setting threshold alarm parameters for host sessions

You can generate alarms based on data collected by devices configured on NTA servers by setting
the threshold alarm parameters for device host sessions.
To set threshold alarm parameters:
2.
Move your mouse pointer to the shortcut menu icon

to the right of the Sessions link. The
Sessions shortcut menu appears to display the names of all NTA servers.
Host session monitoring overview
73
3.
4.
Click the Expand icon next to an NTA server on the shortcut menu to display the devices
which send traffic statistics packets to the NTA server.
Click the device name for which you want to set the threshold alarm.
The host session report page is displayed.
5.
6.
Click the Threshold link

located at the upper right corner of the host session report page.
The Threshold Alarm Settings dialog box is displayed.
Select Enable from the Threshold Alarm list to generate alarms based on the data collected
by this device and the thresholds you configured. Select Disable if you do not want to generate
alarms.
If you selected Enable, the page displays the threshold alarm configuration parameters.
7.
Configure the following alarm threshold settings:
TriggerDefine the conditions under which the threshold is triggered. This option has
two configuration parameters: the duration and the number of times the threshold must
be exceeded.
The duration defines the amount of time in which the threshold must be exceeded for the
threshold to be triggered and for NTA to generate an alarm. Select the duration from the
Trigger list. Options are Last 5 minutes, Last 10 minutes, Last 20 minutes, and Last 30
minutes. The default setting is Last 10 minutes.
You must also configure the number of times that the threshold value must be exceeded
before NTA generates an alarm. Enter the number of times the threshold must be exceeded
in the Trigger times field. The default setting is 3.
8.
Sessions ThresholdEnter the threshold value that must be exceeded before NTA generates
an alarm.
SeverityThis field indicates the severity level of the triggered threshold alarms. The value
must be Major.
Discard LengthThis field specifies the time interval in which a triggered alarm will not
be re-sent. Select the time interval from the Discard Length list. Options are None, Last
30 minutes, Last 1 hour, and Last 2 hours. The default setting is Last 30 minutes.
Click OK.
Viewing host session monitor reports

NTA provides different levels of reports for host sessions. The highest level provides summary
reports for the host sessions of all NTA servers. You access these reports by clicking the Sessions
branch of the left navigation tree under the Traffic Analysis and Audit section.
NTA also provides more granular reports-, including the summary host session report for each NTA
server and the summary host session report for each device. Move your mouse pointer to the
shortcut menu icon
to the right of the Sessions link. The Sessions shortcut menu appears to
display the entries to these reports.
This section explores the reports options available for host sessions, and includes a review of
process for navigating to host sessions report, a review of the summary reports available for all
NTA servers configured in NTA, and a review of the reports and features available for NTA server
host sessions and device host sessions.
Navigating to the host session monitor reports

1.
2.
74
Select Service > Traffic Analysis and Audit > Settings from the top navigation bar.
To view summary reports for the host sessions of all NTA servers, click Sessions under the
Traffic Analysis and Audit section.
Host session monitoring
3.
4.
To view the summary data for the host sessions of a single NTA server, move your mouse
pointer to the shortcut menu icon
to the right of the Sessions link. The Sessions shortcut
menu appears to display the names of all NTA servers. Click the name link for a NTA server
to view the summary host session number data of the NTA server.
To view the summary host session number data of a device attached to an NTA server, click
the Expand icon next to an NTA server on the shortcut menu to display the devices which
send traffic statistics packets to the NTA server. Click the device name link for a device to
view the summary host session number data of the device.
Summary reports for host sessions

Summary reports are the highest-level reports for all NTA server host sessions. You access these
reports by clicking Sessions of the left navigation tree under the Traffic Analysis and Audit section.
TopN Sessions of All Servers (Last 1 Hour)

This graph displays host sessions in the last 1 hour for the source and destination hosts of all NTA
servers. It has two bar charts:
TopN Sessions for Source provides statistics on sessions for the source hosts of all NTA servers.
TopN Sessions for Destination provides statistics on sessions for the destination hosts of all
NTA servers.
Access this graph by clicking Sessions of the left navigation tree. NTA can automatically adjust
the number of bars displayed in the graph according to the window size of the browser. To view
the bars that are not displayed in the current graph, click the page up/down icon / at the
upper right of the graph.
75
Figure 1 Summary Report: TopN Sessions of All Servers (Last 1 Hour)
TopN Sessions of Selected Servers (Last 1 Hour)

The graph appears only when NTA is deployed on multiple NTA servers in distributed mode. The
graph displays the number of source and destination host sessions of one or more NTA servers in
the last hour. The display effect is the same as the TopN Sessions of All Server report.
By default, the graph does not display the number of host sessions of any NTA server. The graph
displays the number of host sessions of NTA servers after you specify one or more NTA servers.
To specify NTA servers:
1. Click the Select Server link at the upper right of the TopN Sessions of Selected Servers title bar.
The Choose Server dialog box appears.
2.
3.
Click the boxes next to the NTA server names to select NTA servers you want to view in this
report.
Click OK.
The page will update to display the TopN Sessions of Selected Servers reports for the selected
NTA servers.
Detailed reports for host sessions

In addition to summary reports for all NTA servers, NTA provides a suite of reports for viewing the
host sessions data from different perspectives.
Individual NTA server host session report includes two lists for source and destination host sessions
in a NTA server. The two lists include the source and destination host IP address, number of sessions
for the associated source or destination, and the maximum session generation rate by the source
or destination. The host IP address serves as a link for navigating to the host session details report.
76
Device host session report includes two lists for source and destination host sessions in a device.
The two lists include the source and destination host IP address, number of sessions for the associated
source or destination, and the maximum session generation rate by the source or destination. The
host IP address serves as a link for navigating to the host session details report.
Host session details report includes the total sessions for host in 1 minute and the data samples for
host sessions generate per second.
Individual NTA server host sessions report

This report contains two lists for the source or destination host sessions on an NTA server. The lists
provide the source or destination host IP address, the sessions for the associated source or
destination, and the maximum session generation rate, in seconds, by the source or destination.
The host IP address serves as a link for navigating to the host session details report.
Query Sessions
NTA allows you to change the filter criteria for the individual NTA server host sessions report. You
can change the default settings for source or destination session pair information to customize the
lists displayed in the Query Sessions section.
To change the filter criteria for the report:
1. Enter one or more of the following search criteria:
SourceEnter the IP address or address range. To enter the IP address for a single
interface, use dotted decimal notation.
An example of a valid IP address entry follows:
10.153.89.10
An example of a valid network/subnet mask in dotted decimal notation follows:

10.153.89.0/255.255.255.0
An example of a valid network/subnet mask entry using CIDR notation follows:

10.153.89.0/24
An example of a valid IPv6 address entry follows:

a001:410:0:1::1
An example of a valid IPv6 address and subnet mask using CIDR notation follows:
a001:410:0:1::1/64
2.
DestinationEnter the IP address or address range. To enter the IP address for a single
To change the default time range for the tables on this page, select the time range from the
Query Time list in the Query Sessions section. Options are:
Last 1 minutes
Last 2 minutes
Last 5 minutes
Last 10 minutes
Last 30 minutes
Last 1 hours
Last 3 hours
Last 6 hours
You can query only the host sessions within the last six hours.
77
3.
Start TimeDisplays the start time for the report
End TimeDisplays the end time for the report
Click Display.
The page displays the results of your query.
TopN Sessions List

The individual NTA server host sessions report contains two lists:
TopN Sessions List for Source lists the source host IP address, the number of sessions for the
associated source, and the maximum sessions generation rate by the source host. The host IP
address serves as a link for navigating to the host session details report.
TopN Sessions List for Destination lists the destination host IP address, the number of sessions
for the associated destination, and the maximum sessions generation rate by the destination
host. The host IP address serves as a link for navigating to the host session details report.
Figure 2 Individual NTA Server Host Sessions Report: TopN Sessions List
For more information about the host session details report, see Host session details report.
Device host sessions report

This report contains two lists for source or destination host sessions on a device. The lists provide
the source or destination host IP address, the number of sessions for the associated source or
destination, and the maximum sessions generation rate by the source or destination. The host IP
Query Sessions
NTA allows you to change the filter criteria for the device host session report. You can change the
default settings for source or destination session pair information to customize the lists displayed
in the Query Sessions section.
78
1.
Enter one or more of the following search criteria:
SourceEnter the IP address or address range. To enter the IP address for a single
10.153.89.10

10.153.89.0/255.255.255.0

10.153.89.0/24

a001:410:0:1::1
a001:410:0:1::1/64
2.
DestinationEnter the IP address or address range. To enter the IP address for a single
To change the default time range for the tables on this page, select the time range from the
Query Time list in the Query Sessions section. Options are:
Last 1 minutes
Last 2 minutes
Last 5 minutes
Last 10 minutes
Last 30 minutes
Last 1 hours
Last 3 hours
Last 6 hours
You can only query the host sessions within the last six hours.
3.
Start TimeDisplays the start time for the report
End TimeDisplays the end time for the report
Click Display.
TopN Sessions List

The device host sessions report contains two lists:
TopN Sessions List for Source lists the source host IP address, the number of sessions for the
associated source, and the maximum generated session rate by the source host. The host IP
TopN Sessions List for Destination lists the destination host IP address, the number of sessions
for the associated destination, and the maximum generated session rate by the destination
host. The host IP address serves as a link for navigating to the host session details report.
79
Figure 3 Device Host Sessions Report: TopN Sessions List
Host session details report

The host session details report includes the Session Trend line chart and the Session Details list. To
view the report, click the a source or destination host IP address link on the TopN Sessions List in
the individual NTA server host sessions report or the device host sessions report. The time range
of the data in the host session details report is the same as that of the individual NTA server host
sessions report or the device host sessions report. For example, when the time range of the device
host sessions report is last 1 hour, the time range of the host session details report is also last 1
hour.
Session Trend
The Session Trend line chart provides the total number of sessions for the selected host in 1 minute.
Figure 4 Host Session Details Report: Session Trend
To return to the individual NTA server host sessions report or device host sessions report, click Back
located in the upper right of this chart.
Session Details
The Session Details list displays host sessions for the selected time range. It lists the timestamp, the
total number of sessions in 1 minute, and the average rate for selected host sessions generated
per second.
80
Figure 5 Host Session Details Report: Session Details
81
4 Interface monitoring
This chapter of the NTA administrator guide provides you with information on interface monitoring
in NTA, including how NTA analyzes network flow records report on network traffic from an
interface perspective. This chapter explores reporting options for interface traffic analyses and
reviews configuration issues around interface monitoring and traffic analysis tasks and the reports
they generate. This chapter also explores the process for adding interface traffic analysis tasks,
including step-by-step instructions for adding, modifying, and deleting tasks from NTA. It also
provides a survey of the summary reports for all interface tasks and a look at the more granular
reports for an individual interface traffic analysis task.
Interface traffic analysis overview

Interface traffic analysis tasks analyze network flow data by the interfaces you specify in interface
traffic analysis tasks. NTA will parse all network flow data and provide various statistical views of
traffic that was observed for the interfaces configured in an interface traffic analysis task. For
example, NTA will provide source and destination host information reporting by interface, displaying
the rate of traffic attributed to specific source or destination hosts that were observed sending or
receiving traffic across the selected interface.
In general, the NTA interface traffic analysis tasks provide traffic statistics for the interfaces
configured in every interface traffic analysis task. The interface traffic reports include rate of traffic
for all interfaces in all tasks, for all interfaces in each task, and for individual interfaces in a task.
Interface statistics include traffic rate by application, source host, destination host, and a session
or source/destination host pair. These reports are organized into multiple layers from summarized
information for all tasks to detailed reporting for specific interfaces configured for an individual
interface traffic analysis task.
Interface traffic analysis reporting overview

After you create the first interface traffic analysis task, NTA creates an entry called Interface Traffic
Analysis Task
under the section Traffic Analysis and Audit on the left navigation tree.
Click Interface Traffic Analysis Task on the left navigation tree to view the summary report for all
interface traffic analysis tasks.
to the right of the Interface Traffic Analysis
Task. The Interface Traffic Analysis Task shortcut menu appears to display all interface traffic
analysis tasks created in NTA. Click the name link for a task to view the interface traffic analysis
report of the task.
To view the interface traffic analysis report of an interface in an interface traffic analysis task, click
the Expand icon next to the task on the shortcut menu to display the all interfaces in the task.
Click the name link for an interface to view the interface traffic analysis report of the interface.
The summary interface traffic analysis report includes the following contents:
82
Average Rate (Last 1 Hour)This bar graph provides summarized average rate per second
reporting for all interfaces specified in all interface traffic analysis tasks summarized by task.
Each bar in the graph is a link to more detailed reporting for the selected task. This includes
traffic, application, source, destination, and session statistics:
TrafficReports found under the Traffic tab for interface reporting display the average
inbound and outbound rate per second, TopN by ToS, and the individual data samples
for all interfaces for the selected task or for an individual interface in a task.
ApplicationReports found under the Application tab for interface reporting display
percentage of application traffic generated by all interfaces in a task and average rate
Interface monitoring
of application traffic for all interfaces in the selected task or for an individual interface in
a task.
SourceReports found under the Source tab for interface reporting include inbound and
outbound reports that display the percentage of traffic generated by the TopN source
hosts and volume and percentage of traffic generated for each of the TopN source hosts
for all interfaces in the selected task or for an individual interface in a task.
DestinationReports found under the Destination tab for interface reporting include
inbound and outbound reports that display the percentage of traffic generated by the
TopN destination hosts and volume and percentage of traffic generated for each of the
TopN destination hosts for all interfaces in the selected task or for an individual interface
in a task.
SessionReports found under the Session tab for interface reporting include inbound and
outbound reports that display the percentage of traffic generated by the TopN source
and destination host pairs and volume and percentage of traffic generated for each of
the TopN source and destination host pairs for all interfaces in the selected task or for an
individual interface in a task.
Traffic Trend and TopN Application for Selected Task (Last 1 Hour)This set of line charts
provides per second average traffic rate summarized by interface traffic analysis task for
inbound and outbound traffic for all interfaces for the selected task or for an individual interface
in a task. A set of pie charts reveals the distribution of traffic for the TopN applications, with
one chart each for inbound and outbound traffic.
Summary List (Last 1 Hour)This list provides per second traffic rate and percentage of traffic
statistics summarized by interface traffic analysis task for inbound and outbound traffic for all
interfaces in all tasks.
Interface traffic analysis configuration considerations

There are several things to consider when you add interfaces to a task. The most influential is the
decisions you make regarding which interfaces belong to each task. This is important because it
determines how NTA groups interface for analysis, reporting, and navigation purposes. It is also
important because viewing statistics in juxtaposition to each other provides an additional layer of
analysis and interpretation of data. These are some other considerations:
By default, NTA does not monitor any interfaces. You must create a task for every interface
or group of interfaces on which you want to monitor and report.
You define how NTA groups interfaces for analysis and reporting purposes. NTA presents
interface traffic analysis tasks in The NTA left navigation system and provide summarized
interface reporting based on the way you have organized interfaces into tasks.
You can add one or more interfaces from one or more devices into a single task. You are not
limited to adding interfaces from a single device into one task. However, an interface can
only belong to one task.
Consider how you want to analyze, access, and view interface data, and then structure your
tasks around it. For example, if you want to view interface traffic statistics by geography, then
group interfaces into tasks organized by location. Otherwise, you can group interfaces by
function. For example, you can group all network ingress and egress interfaces into a single
task. This enables you to compare the traffic statistics for interfaces that perform a similar
function. Otherwise, you can group all interfaces associated with an application or a group
of applications or a business service into a single task. Another option is to create a single
task for every device, and add all of the interfaces from that device for which you want to
view statistics into the task. Also, you can create tasks organized by support team so that
operators have simplified access to reporting for the devices and interfaces they manage.
Interface traffic analysis overview
83
Add only those interfaces for which you want to view statistics. Do not add all of the interfaces
on a device unless you want to view reporting for all interfaces. Adding interfaces for which
you do not want to view statistics only clutters NTA interface navigation. This makes it more
difficult for you to find the interface for which you do want to view data.
When you add interfaces to a task, NTA presents a list of all interfaces that NTA knows about.
This list is generated from the devices that have been added to NTA using the Device
Management feature. If the interfaces you want to add do not appear on this list and if they
are not already included in another interface traffic analysis task, it is most likely because the
device has not been added to NTA or it has not been selected in the NTA server configuration
found under Server Management. For more information about selecting devices in NTA server
management, see Modifying an NTA server configuration.
If you do not add an interface to a task, NTA does not report on it.
An interface can only be added to one task. Careful planning of tasks and documenting them
is a valuable aid to you when you begin creating tasks and to help identify to which task an
application has been added.
You must enable network flow data on the devices and for the interfaces you want to monitor
and report on using NTA.
Managing interface traffic analysis Tasks

NTA processes, analyzes, and reports on network flow data through the tasks that administrators
create. Until a task is created, NTA does not analyze the data that devices forward to it or that it
is configured to receive. Effective management of tasks results in the reporting you need. This
section explores the step-by-step process for adding, modifying, or removing interface traffic analysis
tasks in NTA.
Viewing a traffic analysis task

NTA displays all traffic analysis tasks in the Traffic Analysis Task List.
To view the NTA traffic analysis task list:
2. Click the Traffic Analysis Task Management link in the Settings area of the Traffic Analysis
and Audit page.
NTA displays all tasks in the Traffic Analysis Task List in the main pane of the Task Management
page.
Task list contents
3.
84
Task NameContains the name of the task. The contents of this field serve as a link to
the Traffic Analysis Task Details page for the associated task.
Task DescriptionContains the description for the associated task.
Task TypeIdentifies the task type interface, VLAN, probe, application, host, VPN, or
inter-business.
Baseline AnalysisAppears when the baseline analysis feature is enabled in NTA

parameters. The baseline analysis feature provides an additional layer of analysis to
reports provided by NTA by including baseline trend data when data has been collected
for a minimum of one week.
task.
to the Modify Traffic Analysis Task page for the associated

for deleting the associated task.
To query NTA for the most current Traffic Analysis Task List, click the Refresh button in the
upper left corner of the Traffic Analysis Task List.
NOTE: You can sort the Traffic Analysis Task List by the Task Name, Task Description, Task Type,
and Baseline Analysis fields. The column label to sort the list by the selected field. The column label
Viewing interface traffic analysis task details

To view the details for an individual interface traffic analysis task:
and Audit page.
page.
3.
Click the contents in the Task Name field of the Traffic Analysis Task List whose Task Type is
Interface to view the details for an individual task.
Traffic analysis task details page
Task NameContains the name of the task.
ServerContains the name or IP address of the NTA server.
Task TypeIdentifies the task type, such as interface, VLAN, probe, application, host,
VPN, or inter-business.
ReaderIdentifies the operator groups in IMC that have been granted access to view
the reports generated by the associated traffic analysis task.
Baseline AnalysisIndicates whether or not the baseline analysis feature is enabled for
the task. If the Baseline Analysis field is not displayed, the baseline analysis feature is
disabled in the NTA parameters. For more information about configuration options for
the NTA parameters, including the baseline analysis feature, see Configuring NTA traffic
Threshold AlarmIndicates whether or not the threshold alarm feature is enabled for the
task. If you enabled the threshold alarm feature, the page shows the Threshold Alarm
Settings configuration parameters. The parameters include:
DirectionIndicates that which direction you want to apply the threshold, In, Out or
In/Out.
TriggerIndicates that under what conditions the threshold is triggered. This condition
has two configuration parameters, the time interval and the number of times that the
threshold must be exceeded.
In ThresholdSpecifies the threshold value or amount of inbound traffic that must

be exceeded before NTA generates an alarm.
Out ThresholdSpecifies the threshold value or amount of outbound traffic that must
be exceeded before NTA generates an alarm.
SeveritySpecifies the severity level of the triggered threshold alarms, which can
only be Major.
Discard LengthSpecifies the time interval in which a triggered alarm is not sent
again.
Interface InformationThis table contains a list of interfaces, their aliases, IP addresses,

maximum transmission rate, device name and device IP address for all interfaces providing
traffic for this traffic analysis task.
85
4.
Click Back to return to the Traffic Analysis Task List.
Adding an interface traffic analysis task

To add an interface traffic analysis task:
2. In the Settings area of the Traffic Analysis and Audit page, click the Traffic Analysis Task
Management link.
NTA displays all tasks in the Traffic Analysis Task List displayed in the main pane of the Task
Management page.
3.
Click Add.
The Add Traffic Analysis Task page appears.
4.
5.
Next to Interface on the Select Task Type section, click the option to add an interface traffic
analysis task.
Click Next.
The Add Traffic Analysis Task page is refreshed.
6.
Enter a name for this task in the Task Name field.

The task name must be unique.
NOTE: The name you assign to a task is the link you use to navigate to the task reports.
Therefore, assigning a descriptive and meaningful name to a task helps you to navigate quickly
and easily to reports.
7.
8.
9.
In the Task Description field, enter a description for this task.

From the Server list, select the NTA, NetStream, NetFlow, or sFlow collection server.
Unless otherwise configured by the administrator, the NTA server name is the IP address of
the NTA server. If the NTA server is installed on the same server as the IMC Platform, the IP
address is the loopback address of the IMC server.
10. To select the operator groups that have access to the analysis and reports provided by this
interface task, click the Select button next to the Reader field.
The Choose Operator Group dialog box appears.
a. From the Operator Group List, click the checkbox next to the operator group Name for
every operator group you want to grant access to. To select all operator groups, click the
checkbox located in the upper left corner of the column label field for all boxes.
b. Click OK to accept your operator group selection. The operator groups you selected are
displayed in the Reader field.
11. From the Baseline Analysis list, select Enable to enable baseline analysis for the reports
generated by this task, and select Disable to disable baseline analysis.
If you selected Enable from this list, the baseline trendline is displayed on graphs that support
this feature approximately seven days after the creation of the task. Initially, the baseline
trendline displays statistics based on the first weeks collection and is adjusted over time as
more data is collected.
If the Baseline Analysis list does not appear, the baseline analysis feature has not been enabled
in the NTA parameters. For more information about configuration options for the NTA
parameters, including the baseline analysis feature, see Configuring NTA traffic analysis
parameters.
86
12. From the Threshold Alarm list, select Enable if you want to generate alarms based on the data
collected by this task and the thresholds you configure, and select Disable if you do not want
to generate alarms.
If you selected Enable from the Threshold Alarm list, the page will update to show the Threshold
Alarm Settings configuration parameters.
13. Perform the following instructions to configure the threshold settings.
DirectionAllows you to define to which traffic you want to apply the threshold.
Select In if you want to apply the threshold to inbound traffic only.
Select Out if you want to apply the threshold to outbound traffic only.
Select In/Out if you want to apply the threshold to both inbound and outbound traffic.
The default setting is In/Out.
TriggerAllows you to define under what conditions the threshold is triggered. This option
The time interval defines the amount of time within which the threshold must be
exceeded for the threshold to be triggered and for NTA to generate an alarm. Select
the time interval you want to apply from the Trigger list. Options are Last 5 minutes,
Last 10 minutes, Last 20 minutes, and Last 30 minutes. The default setting is Last 10
minutes.
before NTA generates an alarm. Enter the number of times the threshold must be
exceeded in the Trigger times field. The default setting is 3 times.
In ThresholdEnter the threshold value or amount of inbound traffic that must be exceeded
before NTA generates an alarm in the In Threshold field. Select % from the list located
to the right of the In Threshold field, if you want NTA to calculate the inbound traffic as
a percent of total available inbound bandwidth. Otherwise, select the rate of traffic for
the selected interfaces from the list.
Out ThresholdEnter the threshold value or amount of outbound traffic that must be
exceeded before NTA generates an alarm in the Out Threshold field. Select % from the
list next to the Out Threshold field, if you want NTA to calculate the outbound traffic as
a percent of total available outbound bandwidth. Otherwise, select the rate of traffic for
SeveritySpecifies the severity level of the triggered threshold alarms, which can only
be Major.
Discard LengthSpecifies the time interval in which a triggered alarm is not sent again.
Select the time interval you want to apply from the Discard Length list. Options are None,
Last 30 minutes, Last 1 hour, and Last 2 hours. The default setting is Last 30 minutes.
14. To select one or more interfaces that will provide network flow data, click the Select button
above the Interface Information list.
You must add at least one interface to an interface traffic analysis task.
NOTE: For considerations on how to organize interfaces into tasks, see Interface traffic
analysis configuration considerations.
The Add Interface page is displayed.
There are two methods for adding interfaces. You can add them automatically or configure
them manually. The sections that follow explore these two methods.
87
15. To obtain interfaces automatically:

a. At the top of the Add Interface page, click the Obtain Automatically tab.
All interfaces that can be selected for use as a traffic analysis task are displayed in the
Interface Information list displayed under the Obtain Automatically tab of the Add Interface
page.
For the interfaces of a device to appear on this list, the device must first be added to NTA
using The NTA Device Management feature. Then the device must be selected in the NTA
server configuration under Server Management. For more information about adding a
device for traffic analysis to NTA, see Device management. For more information about
selecting devices in NTA server management, see Modifying an NTA server
configuration. The device you want to add must also be configured to forward NetStream,
NetFlow, or sFlow traffic to NTA as the traffic collector or collection server.
b.
c.
To select one or more interfaces to add to the task, click the box next to the Interface
Description field for every interface you want to add.
Click OK to accept your interface selection.
When you can add successfully the interfaces you select to the task, they appear in the
Interface Information list.
16. To configure interfaces manually:

a. At the top of the Add Interface page, click the Configure Manually tab to add interfaces
manually to an interface traffic analysis task.
The page will update to display the configuration options for manually adding an interface
to a traffic analysis task.
b.
In the Interface Name field, enter the name for the interface.
Assigning a descriptive and meaningful name to an interface aids you in navigating
quickly and easily to reports.
c.
From the Device list, select the device to which the interface belongs.
For a device to appear on this list, the device must first be added to NTA using Device
Management. Then the device must be selected in the NTA server configuration under
Server Management. For more information about adding a device for traffic analysis to
NTA, see Device management. For more information about selecting devices in NTA
server management, see Modifying an NTA server configuration. The device you want
to add must also be configured to forward NetStream, NetFlow, or sFlow traffic to NTA
as the traffic collector or collection server.
d.
In the Interface Index field, enter the unique interface index or ifIndex number for the
interface.
You can view the interface index for any interface on a device managed by IMC by
navigating to the Interface Details page of a device from its Device Details page.
To navigate to the Interface Details page for an individual device:
e.
f.
Click the Resource tab at the top of the page.

Under View Management section on the navigation tree, click Device View.
The Device List All is displayed. This list displays all devices in IMC.
g.
Find the device for which you want to view interface details, and then click the link in the
Device Label column in the Device List All for the device for which you want to view
interface details.
The Device Details page appears.
88
h.
In the Interfaces field of the Device Details page for the selected device, click the Interface
List link.
The Interface List appears. See the Interface Index field for the value that NTA accepts
as the interface index in the Interface Index field.
For more information about the contents of the Device Details page and the Interface
Details page, see Intelligent Management Center Base Platform Administrator Guide.
i.
j.
In the Max. Speed field, enter the maximum speed of the interface.
In the list next to the Max. Speed field, select the unit of measure for the interface speed.
CAUTION: Assigning an incorrect interface maximum speed and unit of measure to an
interface results in incorrect statistical analysis and reporting of metrics. Verify that the
maximum interface speed and unit of measure you enter is correct.
k.
Click OK to add the interface manually.
NOTE: You can use both methods to add interfaces to an interface traffic analysis task. To
do so, complete the steps described for each method.
17. Click OK to create the interface traffic analysis task.
Once you create an interface traffic analysis task, NTA creates an entry called
Interface
Traffic Analysis Task on the left navigation tree. Click the entry to view the summary report
for all interface traffic analysis tasks.
to the right of Interface Traffic Analysis
Task. The Interface Traffic Analysis Task shortcut menu appears to display all interface traffic
analysis tasks created in NTA. Click the name link for a task to view the interface traffic analysis
report of the task.
Click the Expand icon next to a task on the shortcut menu to display all interfaces in the
task. Click the name link for an interface to view the interface traffic analysis report of the
interface.
For information about accessing and viewing interface traffic analysis reports, see Viewing
interface traffic analysis reports."
NOTE: You must also configure NetStream, NetFlow, or sFlow traffic from the configured interfaces
to the NTA server. To do so, see device configuration guides.
Modifying an interface traffic analysis task

To modify an interface traffic analysis task:
and Audit page.
Management page.
3.
associated with the interface traffic analysis task you want to modify.
The Modify Traffic Analysis Task page appears.

4.
Modify the name for this task in the Task Name field.
5.
Modify the description for this task in the Task Description field.
89
6.
Select the NTA NetStream, NetFlow, or sFlow collection server from the Server list.
7.
To add new operator groups that have access to the analysis and reports provided by this
interface task, click the Select button located to the right of the Reader field.
The Operator Group List dialog box appears.
every operator group to which you want to grant access. To select all operator groups,
click the checkbox in the upper left corner of the column label field for all boxes.
b. Click OK to accept the new additions to operator group.
The operator groups you selected are displayed in the Reader field.
c.
d.
e.
To revoke operator group access to the results of this interface traffic analysis task, highlight
the groups in the Reader field you want to remove.
Click Delete.
Click OK to confirm the deletion of the selected operator groups from the task.
The Reader list is updated to reflect the deleted operator group changes.
8.
From the Baseline Analysis list, select Enable to enable baseline analysis for the reports
generated by this task and, to disable baseline analysis, select Disable.
If you selected Enable from this list, the baseline analysis trendline appears on graphs that
support this feature approximately seven days after the creation of the task. Initially, the
baseline trendline displays statistics based on the first weeks collection and is adjusted over
time as more data is collected.
If the Baseline Analysis list does not appear, the baseline analysis feature has not been enabled
in the NTA parameters. For more information about configuration options for the NTA
parameters.
From the Threshold Alarm list, select Enable if you want to generate alarms based on the
data collected by this task and the thresholds you configure.
From the Threshold Alarm list, select Disable if you do not want to generate alarms.
If you selected Enable from the Threshold Alarm list, the page will update to display the
Threshold Alarm Settings configuration parameters. Perform the following instructions to
configure the threshold settings.
DirectionAllows you to define to which traffic you want to apply the threshold.
Select In if you want to apply the threshold to inbound traffic only.
Select Out if you want to apply the threshold to outbound traffic only.
Select In/Out if you want to apply the threshold to both inbound and outbound traffic.
The default setting is In/Out.
TriggerAllows you to define under what conditions the threshold is triggered. This option
90
The time interval defines the amount of time within which the threshold must be
exceeded for the threshold to be triggered and for NTA to generate an alarm. Select
the time interval you want to apply from the Trigger list. Options are Last 5 minutes,
Last 10 minutes, Last 20 minutes, and Last 30 minutes. The default setting is Last 10
minutes.
9.
before NTA generates an alarm. Enter the number of times the threshold must be
exceeded in the Trigger times field. The default setting is 3 times.
In ThresholdEnter the threshold value or amount of inbound traffic that must be exceeded
before NTA generates an alarm in the In Threshold field. Select % from the list next to
the In Threshold field, if you want NTA to calculate the inbound traffic as a percent of
total available inbound bandwidth. Otherwise, select the rate of traffic for the selected
interfaces from the list.
Out ThresholdEnter the threshold value or amount of outbound traffic that must be
exceeded before NTA generates an alarm in the Out Threshold field. Select % from the
list next to the Out Threshold field, if you want NTA to calculate the outbound traffic as
a percent of total available outbound bandwidth. Otherwise, select the rate of traffic for
SeveritySpecifies the severity level of the triggered threshold alarms, which can only
be Major.
Discard LengthSpecifies the time interval in which a triggered alarm is not sent again.
Select the time interval you want to apply from the Discard Length list. Options are None,
Last 30 minutes, Last 1 hour, and Last 2 hours. The default setting is Last 30 minutes.
Above the Interface Information list, click the Select button to add one or more interfaces that
provide network flow data.
You must have at least one interface configured for an interface traffic analysis task. The Add
Interface page appears.
There are two methods for adding interfaces. You can you can add them automatically or
configure them manually. The following sections explore these two methods.
10. Obtaining interfaces automatically

a. At the top of the Add Interface page, click the Obtain Automatically tab to add interfaces
automatically to the interface task.
All interfaces that can be selected for use as a traffic analysis task are displayed in the
Interface Information list displayed under the Obtain Automatically tab of the Add Interface
page.
using The NTA Device Management feature. Then the device must be selected in the NTA
server configuration under Server Management. For more information about adding a
device for traffic analysis to NTA, see Device management. For more information about
selecting devices in NTA server management, see Modifying an NTA server
configuration. The device you want to add must also be configured to forward NetStream
NetFlow, or sFlow traffic to NTA as the traffic collector or collection server.
b.
c.
Next to the Interface Description field for every interface you want to add, click the
checkbox to select one or more interfaces to add to the task.
When the interfaces you select are added successfully to the task, they appear in the
11. Configuring interfaces manually

a. At the top of the Add Interface page, click the Configure Manually tab to add interfaces
manually to an interface traffic analysis task.
91
b.
Assigning a descriptive and meaningful name to an interface aids you in navigating
c.
For a device to appear on this list, the device must first be added to NTA using The NTA
device management feature. Then the device must be selected in the NTA server
configuration under Server Management. For more information about adding a device
for traffic analysis to NTA, see Device management. For more information about selecting
devices in NTA server management, see Modifying an NTA server configuration. The
device you want to add must also be configured to forward NetStream, NetFlow, or
sFlow traffic to NTA as the traffic collector or collection server.
d.
In the Interface Index field, enter the unique interface index number for the interface.
To navigate to the Interface Details page for an individual device
e.
f.
From the tabular navigation system on the top, click the Resource tab.
Under View Management section on the navigation tree on the left, click Device View.
g.
In the Device List, click the link in the Device Label column for the device for which you
want to view interface details.
h.
List link.
The Interface List appears. See the Interface Index field for the value NTA accepts as the
interface index in the Interface Index field.
i.
j.
maximum interface speed and unit of measure you enter is correct.
k.
12. To remove an interface from an interface traffic analysis task, click the Delete icon
associated with the interface you want to remove.
13. Click OK to accept your modifications the interface traffic analysis task.
Deleting an interface traffic analysis task

To delete an interface traffic analysis task:
92
2.
In the Settings area of the Traffic Analysis and Audit page, click the Traffic Analysis Task
Management link.
page.
3.
4.

associated with the interface traffic analysis task you want to delete.
Click OK to confirm the deletion of the selected interface traffic analysis task.
The Traffic Analysis Task List reflects the removal of the deleted task.
Adding an interface traffic analysis task by using the detection function

NTA can perform traffic detection on device interfaces. After you add a traffic analysis task, NTA
automatically detects interfaces with traffic but without any traffic analysis task. You can view these
interfaces and create new traffic analysis tasks for them or add them to the existing traffic analysis
tasks.
Viewing the detected interfaces

1.
2.

to the right of
Analysis Task and under the Traffic Analysis and Audit section.
Interface Traffic
The Interface Traffic Analysis Task shortcut menu appears.

3.
Click Not Configured Interfaces in <NTA server IP address> in the shortcut menu to view
interfaces with traffic but without any traffic analysis task on the NTA server.
Interface Information list contents
Device NameName of the device where the interface resides.
Device IPIP address of the device where the interface resides.
Interface AliasAlias of the interface.
Interface DescriptionDescription of the interface.
Interface IndexIndex of the interface.
In Traffic (latest 1 hour)Inbound traffic on the interface in the latest 1 hour.
Out Traffic (latest 1 hour)Outbound traffic on the interface in the latest 1 hour.
Adding a new traffic analysis task for interfaces

1.
2.
Select the boxes next to the interfaces on the Interface Information list.
Click Create New Task.
The Add Traffic Analysis Task page appears. The interface list on the page displays the
interfaces you select in step 1.
3.
Configure parameters for the traffic analysis task.

For more information about the configuration, see Adding an interface traffic analysis task.
Adding interfaces to an existing traffic analysis task

1.
2.
Select the boxes next to the interfaces on the Interface Information list.
Click Add to Existing Task.
The Add Traffic Analysis Task page appears. The interface list on the page displays the
interfaces you select in step 1.
3.
4.
Select the option next to the target interface traffic analysis task.
Click OK.
93
Viewing interface traffic analysis reports

NTA provides various levels of reporting for all traffic analysis tasks. The highest level provides
summarized reporting for all tasks of the same type whether the task type is interface, VLAN, probe,
application, host, VPN, or inter-business. These reports are accessed by clicking the highest level
entry of the left navigation tree under the Traffic Analysis and Audit section. To view summarized
reporting for all interface tasks, click the
tree.
Interface Traffic Analysis Task entry of the left navigation
NTA also provides more detailed reporting for individual tasks, including reports for every interface
configured in an interface traffic analysis task. NTA groups individual tasks by type. All interface
tasks branch can be found on the Interface Traffic Analysis Task menu.
To view the Interface Traffic Analysis Task shortcut menu, move your mouse pointer to the shortcut
menu icon
to the right of
Interface Traffic Analysis Task. The shortcut menu displays all
interface traffic analysis tasks created in NTA. Click the name link for a task to view the interface
traffic analysis report of the task. Click the Expand icon next to a task on the shortcut menu to
display all interfaces in the task. Click the name link for an interface to view the interface traffic
analysis report of the interface.
This section describes the reporting options available for interface traffic analysis tasks, including
a review of process for navigating to interface traffic analysis tasks, a review the summary reports
available for interface tasks, and a review of the reports and features available for an individual
Navigating to the interface traffic analysis reports

To navigate to interface traffic reports:
2.
Under the Traffic Analysis and Audit section of the left navigation tree, click the
Traffic Analysis Task entry to view summary reporting for all interface tasks.
3.
To view the report for a single task, move your mouse pointer to the shortcut menu icon
the right of
Interface
to
Interface Traffic Analysis Task.
The Interface Traffic Analysis Task shortcut menu appears to display all interface traffic analysis
tasks created in NTA. Click the name link for a task to view the interface traffic analysis report
of the task.
4.
To view the interface traffic analysis report of an interface in an interface traffic analysis task,
click the Expand icon next to the task on the shortcut menu to display the all interfaces in
the task. Click the name link for an interface to view the interface traffic analysis report of the
interface.
Summary reports for all interface tasks

Summarized reports are the highest level of reporting for all tasks of the same type. These reports
are accessed by clicking the
Interface Traffic Analysis Task entry of the left navigation tree
under the Traffic Analysis and Audit section. In addition, these reports provide navigation aids to
the reports for an individual task. This section reviews the summarized reports and the features
found in them.
Average rate (last 1 hour)

The Average Rate (Last 1 Hour) bar graph summarizes the average rate of traffic for all interfaces
in every interface traffic analysis task, grouped by task for the last hour. You can access this graph
by clicking the
Interface Traffic Analysis Task entry of the left navigation tree. The bars in the
graph link to the detailed reports for the selected task.
94
Figure 6 Summary Report: Average Rate (Last 1 Hour)
Traffic trend and TopN application for selected task (last 1 hour)
The report of the traffic trend and topN application for selected task includes four subreports. Traffic
Trend In, Traffic Trend Out, TopN Application In, and TopN Applications Out.
Figure 7 Summary Report: Traffic Trend and TopN Application for Selected Task
The Traffic Trend In line chart provides the summarized average rate of inbound traffic for all
interfaces in the selected interface traffic analysis task for the last hour.
The Traffic Trend Out line chart provides the summarized average rate of outbound traffic for all
interfaces in the selected interface traffic analysis task for the last hour.
The TopN Application In pie chart displays the distribution of inbound traffic for the TopN
applications for all Interfaces in the selected traffic analysis task for the last hour.
The TopN Applications Out pie chart displays the distribution of outbound traffic for the TopN
applications for all interfaces in the selected traffic analysis task for the last hour.
No data is graphed on these charts until you specify a task.
95
1.
To select the task, click the Select Task link in the upper right corner of the Traffic Trend and
TopN Application for Selected Task title bar.
The Choose NTA Task dialog box appears.
2.
3.
Click the checkbox next to Interface task for which you want to view this report.
Click OK.
The page displays the Traffic Trend In, Traffic Trend Out, TopN Application In, and TopN
Application Out reports for the selected task.
Summary list (last 1 hour)

The Summary List provides inbound and outbound traffic rates and percentage of traffic statistics
summarized by interface task for the last hour.
1.
Click the
Interface Traffic Analysis Task entry of the left navigation tree.
Summary list contents
2.
3.
96
Task NameContains the name of the interface traffic analysis task. The contents of this
field link to reports for associated task.
In RateProvides the inbound traffic rate for all interfaces configured for the associated
task.
PercentageProvides the percent of link utilization for inbound traffic by all interfaces in
the associated task.
Out RateProvides the outbound traffic rate for all interfaces configured for the associated
task.
PercentageProvides the percent of link utilization for outbound traffic by all interfaces
in the associated task.
Traffic Log AuditContains the

Traffic Log Audit icon of the interface traffic analysis
task. The icon of this field is a link to Traffic Log Audit result page.
The Add button at the top of the Summary List provides a shortcut to the Add Interface Traffic
Analysis Task page. For more information about adding interface traffic analysis tasks, see
Adding an interface traffic analysis task.
Click the Refresh button to update the reports with the most recent data.
4.
Click the Export button to view reports using the IMC Intelligent Analysis Report Viewer and
to print or export all reports found on this page.
a.
b.
c.
To print this report, click the print icon

on the toolbar.
From Page Range, select the page range.
To export the data, click Export.
d.
e.
To export this report, click the export icon

on the toolbar.
From the File Format list, select the export file format.
Options are:
f.
g.
Crystal Reports (RPT)
Adobe Acrobat (PDF)
Microsoft Excel (97-2003)
Microsoft Excel (97-2003) DataOnly
Microsoft Word (97-2003) Editable
Rich Text Format (RTF)
Comma Separated Values (CSV)

Click Export.
Detailed reports for an interface traffic analysis task

In addition to summary reporting for all tasks, NTA provides a suite of reports for viewing interface
data from different perspectives. Reports for interfaces are organized into five reporting groups:
Traffic, Application, Source, Destination, and Session.
Traffic reports for interface tasks provide overall traffic statistics, including ToS/MPLS Exp flux
statistics for all interfaces in a task for the selected time range.
Application reports provide rate of traffic statistics by application that enable you to get
detailed reports for an individual application.
Source reports provide rate and percentage distribution of traffic by source host for all interfaces
in a task for the selected time range.
Destination reports provide rate and percentage distribution of traffic by destination host for
all interfaces in a task for the selected time range.
Session reports provide rate and percentage distribution of traffic for source and destination
pairs for all interfaces in a task for the selected time range.
Source, destination, and session reports enable you to get detailed traffic reports for an individual
host and session.
Traffic reports
Traffic reports for interface tasks provide overall traffic statistics for all interfaces configured in an
interface traffic analysis task or for an individual interface in a task.
Traffic reports for an interface traffic analysis task have the Traffic Trend line chart that provides
average inbound and outbound traffic rates for all interfaces in the selected traffic analysis task.
This chart provides link utilization, average, minimum average, maximum average, and total traffic
volume statistics in a tabular format for both inbound and outbound traffic for the associated task.
Traffic reports for an interface task have a tabular view of total traffic volume and percentage of
total traffic volume grouped by ToS/MPLS Exp for both inbound and outbound traffic in the TopN
Traffic List for ToS/MPLS Exp table.
97
Traffic reports for an interface task have the Flux Distribute In Interface stacked bar chart that
graphs the average rate of both inbound and outbound traffic for every interface configured in
the task.
Traffic reports for an interface task have the Interface Flux Trend line chart that provides average
inbound and outbound traffic rates for selected interfaces configured in the selected traffic analysis
task.
The reports have the Traffic Details list that provides the data collection samples that include
timestamp, total volume of traffic and traffic rate in seconds for both inbound and outbound traffic.
NTA also provides a query option for filtering reports based on criteria you define.
To view the reports for an interface task, click the Traffic tab to view traffic reports for the selected
Query traffic
NTA enables you to change the filter criteria for interface reports. You can change the default
settings for the time range for the graphs and tables to customize the reports displayed.
1. In the query criteria area in the upper right corner of the traffic report, click the query criteria
icon
. On the list that appears, select Last 1 hour, Last 3 hours, Last 12 hours, Last 24 hours,
2.
Last 7 days, Last 30 days, Last 3 months, or Custom. Click the Query icon
in the query
criteria area to set the time range for the traffic report.
To customize the time range for the traffic report, select Custom from the list that appears in
3.
the query criteria area, or click the Advanced icon

to expand the query criteria setting section.
Enter or select the following query criteria:
Start TimeEnter the start time of the time range, in the format of YYYY-MM-DD hh:mm.
Or, click the Calendar icon
time.
to the right of the input box to manually specify a start
End TimeEnter the end time of the time range, in the format of YYYY-MM-DD hh:mm.
time.
4.
to the right of the input box to manually specify an end
Click OK.
98
to the right of the query criteria field
5.
a.
b.
c.

on the toolbar.
d.
e.

on the toolbar.
From the File Format list, select the export file format. Options are:
f.
g.
Adobe Acrobat (PDF)

Click Export.
Traffic trend average

The Traffic Trend combination line chart provides average inbound and outbound traffic rates for
all interfaces in the selected traffic analysis task or for a specific interface in an interface task. This
chart also provides total traffic volume statistics, maximum average, minimum average, average,
and link use in a tabular format for both inbound and outbound traffic for the associated task or
interface for the selected time range. If there is more than one interface for the selected task, these
statistics reflects traffic for all interfaces configured in a task.
Figure 8 Traffic Report: Traffic Trend
If the selected traffic analysis task enabled the baseline analysis feature, the Traffic Trend
combination line chart shows two charts: inbound Traffic Trend and outbound Traffic Trend. The
green line indicates the average incoming or outgoing traffic rate, and the orange line indicates
the baseline. For more information about configuring the baseline analysis feature for the interface
traffic analysis task, see Adding an interface traffic analysis task.
99
Figure 9 Traffic Report: Traffic Trend with baseline
To view these charts for an individual interface, click the bar in the Flux Distribute In Interface
graph for the interface you want to view this report for. For more information on the Flux Distribute
In Interface report, see Flux distribute in interface reports.
By default, the Traffic Trend chart displays statistics for the previous hour.
To view data for an earlier period, click the Previous button located in the upper right corner
of the Traffic Trend chart.
To view data for a later period, click the Next button located in the upper right corner of the
Traffic Trend chart.
Traffic trend peak rate

NTA displays the Max./Min. Peak Rate chart to the right of the Traffic Trend chart when the Peak
Traffic Analysis feature is enabled and the time range for the report exceeds 6 hours.
The Traffic Trend Peak Rate line chart displays the minimum and maximum peak traffic rate for
the associated task for the selected time range for both inbound and outbound traffic. This chart
contains four lines: Max. In Peak Rate, Min. In Peak Rate, Max. Out Peak Rate, and Min. Out Peak
Rate.
Figure 10 Traffic Report: Peak Rate
If the baseline analysis feature is enabled for the selected traffic analysis task, the Traffic Trend
combination line chart shows two charts: inbound Traffic Trend and outbound Traffic Trend. NTA
displays the Max./Min. In Peak Rate chart and Max./Min. Out Peak Rate chart under the Traffic
Trend chart. For more information about configuring the baseline analysis feature for the interface
traffic analysis task, see Adding an interface traffic analysis task.
Figure 11 Traffic Report: Peak Rate with baseline
To view these charts for an individual interface, click the bar in the Flux Distribute In Interface
graph for the interface you want to view this report for. For more information on the Flux Distribute
TopN traffic list for ToS/MPLS Exp

The TopN Traffic List for ToS/MPLS Exp provides administrators with a tabular view of total traffic
volume and percentage of total traffic volume grouped by ToS or MPLS Exp for both inbound and
outbound traffic for the selected time range for an interface traffic analysis task or for a selected
interface in a task.
Figure 12 Traffic Report: TopN Traffic List for ToS/MPLS Exp
To view this chart for an individual interface, click the bar in the Flux Distribute In Interface graph
for the interface for which you want to view this report. For more information about the Flux Distribute
TopN VLAN traffic list
The TopN VLAN Traffic List provides the VLAN Traffic-Incoming and VLAN Traffic-Outgoing charts.
The VLAN Traffic-Incoming chart displays the TopN VLAN traffic received on all interfaces in the
traffic analysis task. The chart displays the VLAN ID, Traffic, and Percent.
101
The VLAN Traffic-Outgoing chart displays the TopN VLAN traffic sent out all interfaces in the traffic
analysis task. The chart displays the VLAN ID, Traffic, and Percent.
Figure 13 Traffic Report: TopN VLAN Traffic List
Flux distribute in interface

If the task you selected has multiple interfaces configured for it, the Flux Distribute In Interface
stacked bar chart displays the average rate of both inbound and outbound traffic for every interface
configured in the task for the selected time range. The bars in the graph link to the reports for the
selected interface.
Figure 14 Traffic Report: Flux Distribute In Interface
This chart is displayed only when the selected task has more than one interface selected.
Interface flux trend
The Interface Flux Trend line graph provides the average traffic trend for the selected interfaces.
Figure 15 Traffic Report: Interface Flux Trend
No data will be graphed on these line charts until you specify one or more interfaces.
1. To select the interface, click the Select Interface link in the upper right corner of the Interface
Flux Trend title bar.
The Choose Interface dialog box is displayed.
2.
3.
Click the checkbox next to the interfaces for which you want to view this report.
Click OK.
The page displays the Interface Flux Trend reports for the selected interfaces.
Traffic details
The Traffic Details list provides the data collection samples for traffic statistics based on the report
time range for the selected interface traffic analysis task or for a selected interface in a task. This
report includes timestamp, total volume of traffic, and traffic rate in seconds for both inbound and
outbound traffic.
Figure 16 Traffic Report: Traffic Details
To view this chart for an individual interface, click the bar in the Flux Distribute In Interface graph
for the interface for which you want to view this report.
For more information on the Flux Distribute In Interface report, see Flux distribute in interface
reports.
Application reports
Application reports provide traffic statistics by application, by protocol, and by application category
for all interfaces in a task or for an individual interface in a task, with information to the details for
an individual application, protocol, or application category.
Application reports for an interface traffic analysis task have the Application List, which provides
a list of applications observed for all interfaces in the selected interface traffic analysis task or for
a selected interface in a task. This list includes total volume of traffic for the associated application,
rate of traffic observed on all interfaces generated by the associated application. This report also
provides capabilities for in-depth additional reports for the selected application.
The Application Traffic Trend In/Out stacked area chart provides average inbound/outbound
traffic rates for all applications observed for all interfaces in the selected traffic analysis task or for
an individual interface in a task.
Protocol reports for an interface traffic analysis task include the Protocol List, which provides a list
of protocols observed for all interfaces in the selected interface traffic analysis task or for a selected
interface in a task. This list includes total volume of traffic for the associated protocol, rate of traffic,
and the percentage of all observed traffic observed on all interfaces generated by the associated
protocol. This report also provides capabilities for additional in-depth reports for the selected
protocol.
The Protocol Traffic Trend In/Out stacked area chart provides average inbound/outbound traffic
rates for all protocol observed for all interfaces in the selected traffic analysis task or for a selected
interface in a task. Protocol reports also have traffic lists and trend reports for individual protocols.
Application category reports for an interface traffic analysis task have the Application Category
List, which provides a list of the application categories observed for all interfaces in the selected
interface traffic analysis task or for a selected interface in a task. This list includes total volume of
traffic for the associated application categories, rate of traffic observed on all interfaces generated
by the associated application category. This report also provides capabilities for in-depth additional
reports for the selected application category.
The Application Category Traffic Trend In/Out stacked area chart provides average
inbound/outbound traffic rates for all applications observed for all interfaces in the selected traffic
Viewing interface traffic analysis reports 103
analysis task or for an interface in a selected task. Application category reports also have traffic
lists and trend reports for the individual application categories.
As with all of the report types for an interface task, NTA also provides a query option for filtering
reports based on criteria you define. To view the reports for an interface task, click the Application
tab to view application reports for the selected interface traffic analysis task, and set the Query
Type to Application as described in Query applications.
Application reports display reports organized by the list of applications in NTA. NTA provides
many system defined applications and NTA also supports user defined applications. For more
information about applications in NTA, see Managing applications. In this section we explore
the reports available for applications.
Query applications
To view reports by application, you must configure the filter criteria for application reports. The
application query option enables you to change the default settings for query type, application,
or time range for the graphs and tables to customize the reports displayed under the Application
tab.
1.
Click the query criteria icon
in the upper right corner of Application Report, and select
2.
Custom from the list that appears. Or, click the Advanced icon
criteria field to expand the query criteria setting section.
Select Application from the Query Type list.
to the right of the query
The page displays the report for Layer 4 through Layer 7 applications.
3.
Enter or select the other query criteria:
ApplicationTo select the application you want to search for, click the Select button
located to the right of the Application field.
The Query Applications dialog box is displayed and an empty Application List is displayed
in the lower portion of the dialog box. To select the applications you want to search for,
you must first query the Application List. To do so:
a.
b.
c.
Enter one or more of the following search criteria in the Query Applications section of
the dialog box:

Pre-definedFrom the Pre-defined list, select Yes to search for applications that are
predefined. To filter for applications that are user-defined, select No from the list. To
include system, predefined, and user-defined applications, select Not limited.
The results of your query appear in the Application List below the Query Applications
section.
d.
Click the checkboxes next to the applications for which you want to search.
e.
Click OK to add the applications to the filter.

The applications you selected are displayed in the Application field.
Click the Clear button next to the Application field to clear all selected applications.
time.
time.
Additionally, to set the start time and end time for the application report, you can click
the query criteria icon
in the upper right corner of the application report. On the list
that appears, select Last 1 hour, Last 3 hours, Last 12 hours, Last 24 hours, Last 7 days,
Last 30 days, Last 3 months, or Custom. Click the Query icon
in the query criteria
area to set the time range for the traffic report for Layer 4 through Layer 7 applications.
4.
Click OK .
5.
Click the Export button to view reports using the IMC Intelligent Analysis Report Viewer, and
a.
b.
c.

on the toolbar.
d.
e.

on the toolbar.
Select the export file format from the File Format list. Options are:
f.
g.
Adobe Acrobat (PDF)

Click Export.
Application list
The Application List provides a list of the applications observed for all interfaces in the selected
interface traffic analysis task or for a single interface in a task for the selected time range. This list
includes the application name, a link for viewing the ports for all unknown applications, total
volume of traffic for the associated application, rate of traffic, and the percentage of traffic on all
interfaces generated by the associated application. The application name in the Application field
is a link to reports for the selected application.
Figure 17 Application Report: Application List
Select 8, 15, 50, 100, or 200 from the lower right side of the main pane to configure how many
items per page you want to view.
Click the name link for an application to view the report for the application. For more information
about the report for each individual application, see Individual application reports.
Application traffic trend
traffic rates for all applications observed for all interfaces in the selected traffic analysis task or for
an interface in a task for the selected time range. If there is more than one interface for the selected
task, these statistics reflects traffic for all interfaces configured in a task.
Figure 18 Application Report: Application Traffic Trend - In/Out
Individual application reports

NTA provides traffic trend statistics for the individual applications that were observed on the
interfaces for a selected task. Individual application reports have the Application Traffic Information
report that displays the average rate of traffic for the selected application and a source and
destination host list that identifies which source and destinations contributed the greatest volume
of traffic for the selected application.
Individual application reports also have the TopN Application Usage List for source and destination
hosts, and reports for unknown TCP and UDP applications.
Unknown applications are those applications for which the layer 4 TCP or UDP port number has
not been assigned a name and is not included as an application in NTA. For more information
about assigning names to TCP or UDP ports and adding them as applications to NTA, see
Managing applications.
To view individual application reports for an interface task or for a single interface in an interface
task, click the name in the Application field of the Application List report for the application for
which you want to view this report.
To view unknown application reports for an interface task or for a single interface in an interface
task, click the icon
in the Application field of the Application List report for the application for
which you want to view this report.
For more information about Application List, see Application list.
The Application Traffic Trend graph provides average rate of traffic for an individual application
for all interfaces in the selected traffic analysis task or for an individual interface in a task. If there
is more than one interface for the selected task, this chart reflects traffic for all interfaces configured
in a task.
By default, the Traffic Trend Report graph displays statistics for the previous hour.
1. In the upper right corner of the chart, click the Previous button to view data for an earlier
period.
2. In the upper right corner of the chart, click the Next button to view data for a later period.
Click Back to return to the main Application report page.
Figure 19 Application Report: Traffic Trend for an Individual Application
TopN application usage list

The TopN application usage list includes Source Host List - In/Out and Destination Host List - In/Out
lists.
The Source Host List - In/Out provides you with a list of the TopN source hosts measured by volume
of traffic observed on all interfaces in the selected interface traffic analysis task or for an interface
in a task for the selected time range. This list includes the source host IP address, total volume of
traffic for the associated source, and the percentage of all observed traffic generated by the source.
The host query icon
next to the Source Host IP Address is a link for initiating a host query and
a link to the results of the query.
The Destination Host List In/Out provides you with a list of the TopN destination hosts measured
by volume of traffic observed on all interfaces in the selected interface traffic analysis task or for
an interface in a task for the selected time range. This list includes the destination IP address, total
volume of traffic for the associated destination, and the percentage of all observed traffic generated
by the destination. The host query icon
next to the Destination Host IP Address serves as a link
for initiating a host query as well as a link for navigating to the results of the query.
Figure 20 Application Report: TopN Application Usage List
TopN traffic report for unknown TCP/UDP application by port

The TopN Traffic Report for Unknown TCP/UDP Application by Port In/Out provides the distribution
of traffic by TCP or UDP port number for all application traffic that cannot be attributed to an
application or protocol for all interfaces in the selected traffic analysis task for the selected time
range. NTA enables you to change how the traffic is grouped.
To group by port, select Port located in the upper right corner of the TopN Traffic Report for
Unknown TCP/UDP Application by Port section of the page. To group by source host, select Source
Host. To group by destination host, select Destination Host. Click Back to return to the main
Application report page.
Figure 21 Application Report: TopN Traffic Report for Unknown Application by Port
TopN traffic list for unknown TCP/UDP application by port

The TopN Traffic List for Unknown TCP/UDP Application by Port In/Out provides a list of the
TopN unknown TCP or UDP applications measured by volume and rate of traffic observed on all
interfaces in the selected interface traffic analysis task for the selected time range.
This list has the TCP or UDP port number, total volume of traffic for the associated application port,
rate of traffic, and the percentage of all observed traffic generated for the unknown application.
The port number is a link to individual reports for the selected port. The icon
in the Define
Application field is a link for adding the selected port as a layer 4 application to NTA. For more
information about managing applications in NTA, see Managing applications.
Figure 22 Application Report: TopN Traffic List for Unknown TCP/UDP Application by Port
Traffic trend report for unknown TCP/UDP applications by port

To view this report for an interface task, click the link in the Port field of the Traffic Trend Report
for Unknown Applications by Port for the unknown TCP or UDP application you want to view this
report for.
The Traffic Trend line chart provides the average rate for an individual unknown application for
all interfaces in the selected traffic analysis task. If there is more than one interface for the selected
task, this chart reflects traffic for all interfaces configured in a task. Click Back to return to the
Unknown Application Traffic Information page.
Figure 23 Application Report: Traffic Trend Report for Unknown Applications by Port
TopN traffic details list for unknown TCP/UDP applications by port

To view this report for an interface task, click the link in the Port field of the Traffic Trend Report
for Unknown Applications by Port for the unknown TCP or UDP application you want to view this
report for.
The TopN Traffic Details List for Unknown TCP/UDP Applications by Port displays the TopN source
and destination host pairs, the volume of traffic sent and received between this source host and
the destination, the rate of traffic observed between the pair, and the percentage of all traffic
observed for this source host.
Figure 24 Application Report: TopN Traffic Details for Unknown Applications by Port
Protocol reports
Protocol reports display traffic rate trend reports organized by the list of protocols predefined in
NTA. Protocol reports have the Protocol List, which provides a list of protocols observed for all
interfaces in the selected interface traffic analysis task or for an interface in a task. This report also
provides capabilities for additional in-depth reports for the selected protocol. The Protocol Traffic
Trend stacked area chart provides average inbound and outbound traffic rates for all protocols
observed for all interfaces in the selected traffic analysis task or for an interface in a task. Protocol
reports also have traffic lists and trend reports for individual protocols.
As with all of the report types for an interface task, NTA also provides you with a query option for
filtering reports based on criteria you define. To view the reports for an interface task, click the
Application tab to view application reports for the selected interface traffic analysis task, and set
Query Type to Protocol as described in Query protocols. For more information about protocols
in NTA, see Managing protocols. This section explores the reports available for protocols.
Query protocols
To view reports by protocol, you must configure the filter criteria for application reports. NTA
enables you to change the filter criteria for application reports. You can change the default settings
for query type, protocol, or time range for the graphs and tables to customize the reports displayed
under the Application tab.
1.
2.
Select Protocol from the Query Type list.
The page displays the report for protocols.

ProtocolTo the right of the Protocol field, click the Select button to select the protocol
for which you want to search. The Query Applications dialog box is displayed and an
empty Protocol List is displayed in the lower portion of the dialog box.
To select the protocol you want to search for, you must first query the Protocol List. To do
so:
a.
b.
c.
d.
110
Enter one or more of the following search criteria in the Query Protocols section of the
dialog box:
To include system, predefined, or user-defined protocols, select Not limited.
Click Query to begin your search. The results of your query are displayed in the Protocol
List displayed below the Query Protocols section.
Click the checkboxes next to the protocols for which you want to search.
e.
Click OK to add the protocol to the filter. The protocols you selected are displayed in the
Protocol field.
Click the Clear button located to the right of the Protocol field to clear all selected protocols.
time.
time.
area to set the time range for the traffic report for protocols.
3.
Click OK.
4.
a.
b.
c.

on the toolbar.
d.
e.

on the toolbar.
f.
g.
Adobe Acrobat (PDF)
Microsoft Excel (97-2003) Data Only

Click Export.
Protocol list
The Protocol List provides a list of the protocols observed for all interfaces in the selected interface
traffic analysis task or for an interface in a task for the selected time range. This list has the protocol
name, total volume of traffic for the associated protocol, rate of traffic and the percentage of traffic
on all interfaces generated by the associated protocol. The protocol name in the Protocol field is
a link to reports for the selected protocol.
111
Figure 25 Application Report: Protocol List
Click the name link for a protocol to see the report for the individual protocol. For more information
about the reports for each individual protocol, see Individual protocol reports.
Protocol traffic trend
rates for all protocols observed for all interfaces in the selected traffic analysis task or for an interface
in a task for the selected time range. If there is more than one interface for the selected task, these
statistics reflects traffic for all interfaces configured in a task.
Figure 26 Application Report: Protocol Traffic Trend - In/Out
Individual protocol reports

NTA provides traffic trend statistics for the individual protocol that were observed on the interfaces
for a selected task. Individual protocol reports have the Protocol Traffic Trend report that displays
the average rate of traffic for the selected protocol and a source and destination host list that
identifies which source and destination hosts contribute the greatest volume of traffic for the selected
protocol. Individual protocol reports also have the TopN Protocol Usage List source and destination
hosts.
To view individual protocol reports for an interface task or for a single interface in an interface
task, click the name in the Protocol field of the Protocol List report for the protocol for which you
want to view this report. For more information about Protocol List, see Protocol list.
The Protocol Traffic Trend In/Out graph provides the average rate for an individual protocol for
all interfaces in the selected traffic analysis task or for an interface in a task. If there is more than
one interface for the selected task, this chart reflects traffic for all interfaces configured in a task.
By default, the Protocol Traffic Trend In/Out report graph displays statistics for the previous hour.
To view data for an earlier period, click the Previous button in the upper right corner of the
chart.
To view data for a later period, click the Next button in the upper right corner of the chart.
Click Back to return to the main Protocol report page.
112
Figure 27 Application Report: Traffic Trend for an Individual Protocol In/Out
TopN protocol usage list

The TopN Protocol Usage List includes the Source Host List In/Out and Destination Host List
In/Out lists.
Figure 28 TopN protocol usage list
The Source Host List In/Out provides you with a list of the TopN source hosts measured by volume
of traffic observed on all interfaces in the selected interface traffic analysis task or for a selected
interface in a task for the selected time range. This list includes the source host IP address, total
volume of traffic for the associated source and the percentage of all observed traffic generated by
the source. The host query icon
next to the Source Host IP Address serves as a link for initiating
a host query as well as a link for navigating to the results of the query.
The Destination Host List In/Out provides a list of the TopN destination hosts measured by volume
of traffic observed on all interfaces in the selected interface traffic analysis task for the selected
time range. This list has the destination IP address, total volume of traffic for the associated
destination and the percentage of all observed traffic generated by the destination. The host query
icon
next to the Destination Host IP Address is a link for initiating a host query and a link to
the results of the query.
113
Application category reports

Application category reports display traffic rate trend reports organized by the application categories
in NTA. Application category reports for an interface traffic analysis task have the Application
Category List, which provides a list of the application categories observed for all interfaces in the
selected interface traffic analysis task. This list has total volume of traffic for the associated
application categories, rate of traffic, and the percentage of all observed traffic observed on all
interfaces generated by the associated application category. This report also provides capabilities
for additional in-depth reports for the selected application category. The Application Category
Traffic Trend stacked area chart provides average inbound/outbound traffic rates for all applications
observed for all interfaces in the selected traffic analysis task. Application category reports also
have traffic lists and trend reports for the individual application categories.
As with all of the report types for an interface task, NTA also provides you with a query option for
filtering reports based on criteria you define. To view the reports for an interface task, click the
Application tab to view application reports for the selected interface traffic analysis task, and set
Query Type to Application Category as described in Query application categories.
NTA provides many system-defined application categories and also supports user-defined application
categories. For more information about application categories in NTA, see Managing application
categories. This section explores the reports available for application categories.
Query application categories
To view reports by application category, you must configure the filter criteria for application
category reports.
NTA enables you to change the filter criteria for application reports. You can change the default
settings for query type, application category, or time range for the graphs and tables to customize
the reports displayed under the Application tab.
1.
2.
Select Application Category form the Query Type list.
The page displays the report for application categories.

3.
Application CategoryTo the right of the Application Category field, click the Select button
to select the application category for which you want to search.
The Query Applications dialog box is displayed and an empty Application Category List
is displayed in the lower portion of the dialog box. To select the application categories
you want to search for, you must first query the Application Category List. To do so:
a.
b.
c.
Enter one or more of the following search criteria in the Query Application Categories
section of the dialog box:
Application CategoryEnter a partial or complete name for the application categories

you want to search for in the Application Category field.
Pre-definedTo search for application categories that are predefined, select Yes
from the Pre-defined list. To filter for application categories that are user-defined,
select No from the list. To include system or predefined as well as user-defined
application categories, select Not limited.
To display the full Application Category List, click Query without entering any search
criteria.
The results of your query are displayed in the Application Category List displayed below
the Query Application Categories section.
114
d.
e.
Click the checkboxes next to the application categories for which you want to search.
Click OK to add the application categories you have selected to the filter.
The application categories you selected appear in the Application Category field.
Click the Clear button located to the right of the Application Category field to clear all
selected application categories.
time.
time.
area to set the time range for the traffic report for application categories.
4.
Click OK.
Application category list

The Application Category List provides a list of the application categories observed for all interfaces
in the selected interface traffic analysis task or for an interface in a task for the selected time range.
This list has the application category name, total volume of traffic for the associated application
category, rate of traffic, and the percentage of traffic on all interfaces generated by the associated
application category. The application category name in the Application Category field is a link to
Figure 29 Application Report: Application Category List
Click the name link for an application category to view the report for the individual application
category. For more information about the report for each individual application category, see
Individual application category reports.
Application category traffic trend
inbound/outbound traffic rates for all application categories observed for all interfaces in the
selected traffic analysis task or for an interface in a task for the selected time range. If there is more
115
than one interface for the selected task, these statistics reflects traffic for all interfaces configured
in a task.
Figure 30 Application Report: Application Category Traffic Trend - In/Out
Individual application category reports

NTA provides traffic trend statistics for the individual protocol categories observed on the interfaces
for a selected task. Individual protocol category reports have the Application Category Traffic Trend
report that displays the average rate of traffic for the selected application category. Individual
application category reports also have the TopN Application Category Usage List that identifies
the TopN source and destination hosts.
To view application category reports for an interface task or for a single interface in an interface
task, click the name in the Application Category field of the Application Category List report for the
application category for which you want to view this report. For more information about Application
Category List, see Application category list.
The Application Category Traffic Trend In/Out graph provides the average rate for an individual
application category for all interfaces in the selected traffic analysis task or for an individual
interface in a task. If there is more than one interface for the selected task, this chart reflects traffic
for all interfaces configured in a task. By default, this graph displays statistics for the previous hour.
period.
2. In the upper right corner of the chart, click the Next button to view data for a later period.
Click Back to return to the main Application Category report page.
Figure 31 Application Report: Application Category Traffic Trend Report for an Individual
Application Category In/Out
TopN application category usage list

116
The TopN Application Category Usage List includes Source Host List In/Out and Destination Host
List In/Out lists.
Figure 32 Application Report: TopN Application Category Usage List
of traffic observed on all interfaces in the selected interface traffic analysis task or an individual
interface for the selected time range. This list includes the source host IP address, total volume of
traffic for the associated source and the percentage of all observed traffic generated by the source.
The host query icon
next to the Source Host IP Address serves as a link for initiating a host
query as well as a link for navigating to the results of the query.
The Destination Host List In/Out provides you with a list of the TopN source hosts measured by
volume of traffic observed on all interfaces in the selected interface traffic analysis task or an
interface for the selected time range. This list includes the destination IP address, total volume of
traffic for the associated destination and the percentage of all observed traffic generated by the
destination. The host query icon
next to the Destination Host IP Address serves as a link for
initiating a host query as well as a link for navigating to the results of the query.
Source reports
Source reports include inbound and outbound reports. Both reports have a TopN Traffic Report for
Source Host pie chart. The pie chart displays the distribution of traffic that generated by the TopN
source hosts for all interfaces in the selected traffic analysis task or for an interface in a task. Both
reports also have the TopN Traffic List for Source Host, which provides a list of the TopN source
hosts measured by volume of traffic observed on all interfaces in the selected traffic analysis task
or for an interface in a task. The pie chart contains a link to traffic reports for the selected host.
The list also contains a link to reports for the selected source host. The host query icon
next to
the Source IP address is a link for initiating a host query and a link to the results of the host query.
As with all of the report types for an interface task, NTA also provides a query option for filtering
reports based on criteria you define.
To view the reports for an interface task, click the Source tab to view traffic reports for the selected
117
Query sources
NTA enables you to change the filter criteria for source reports. You can change the default settings
for source host, or time range to customize the charts and lists displayed under the Source tab.
1. In the query criteria area in the upper right corner of the source report, click the query criteria
icon
2.
in the query
criteria area to set the time range for the source report.
To customize the time range for the source report, select Custom from the list that appears in
3.

Enter or select one or more of the following query criteria:
Source HostIn the Source Host field, enter the IP address or address range using the
following examples. To enter the IP address for a single interface, enter the IP address
using dotted decimal notation.
10.153.89.10

10.153.89.0/255.255.255.0

10.153.89.0/24

a001:410:0:1::1

a001:410:0:1::1/64
time.
End TimeEnter the end time of the timer range, in the format of YYYY-MM-DD hh:mm.
time.
4.
Click OK.
118
5.
a.
b.
c.

on the toolbar.
d.
e.

on the toolbar.
f.
g.
Adobe Acrobat (PDF)

Click Export.
TopN traffic report for source host

The TopN Traffic Report for Source Host In/Out bar chart displays the TopN source hosts with
the most inbound/outbound traffic on all interfaces in a certain period of time in a selected interface
traffic analysis task. Click a bar in the bar chart to view the traffic analysis report of each source
host.
Click the pie chart icon
to change the bar chart to a pie chart. The pie chart displays the
distribution of inbound/outbound traffic of the TopN source hosts on all interfaces in the selected
traffic analysis task or on an interface in a task for the selected time range. The slices of the pie
chart link to traffic reports for the selected host.
Figure 33 Source Report: TopN Traffic Report for Source Host - In/Out
TopN traffic list for source host

The TopN Traffic List for Source Host In/Out provides a list of the TopN source hosts measured
by volume of inbound/outbound traffic observed on all interfaces in the selected interface traffic
119
analysis task or for an interface in a task for the selected time range. This list has the source interface
IP address, total volume of traffic for the associated source, rate of traffic, and the percentage of
all observed traffic generated by the source. The IP address is a link to reports for the selected
source. The host query icon
next to the Source IP address is a link for initiating a host query
and a link to the results of the query.
Figure 34 Source Report: TopN Traffic List for Source Host- In/Out
Traffic trend report for source host

To view this report for an interface task or for an interface in a task, click the slice of the pie chart
on the TopN Traffic Report for Source Host report for the source host you want to view statistics
for. Or, click the IP address for the source host you want to view statistics for from the TopN Traffic
List for Source Host list.
The Traffic Trend Report for Source Host line chart provides the average rate of traffic for the
selected source host. By default, the Traffic Trend Report for Source Host chart displays statistics
for the previous hour.
In the upper right corner of the chart, click the Previous button to view data for an earlier
period.
In the upper right corner of the chart, click the Next button to view data for a later period.
Click Back to return to the main Source host report page.

Figure 35 Source Report: Traffic Trend Report by Source Host
Traffic details
on the TopN Traffic Report for Source Host report for the source host you want to view statistics
for. Or, click the IP address for the source host you want to view statistics for from the TopN Traffic
List for Source Host list.
The Traffic Details for a source host table provides two lists. The TopN Destination Hosts
Communicating with the Source Host displays the TopN destination host IP addresses, the volume
of traffic sent and received between this source and destination hosts, and the percentage of all
traffic observed for this source and destination hosts.
The TopN Applications Communicating with the Source Host displays the TopN applications, the
volume of traffic attributed to the associated application for the selected source host, and the
percentage of the associated application traffic observed for this source host.
Figure 36 Source Report: Traffic Details
Destination reports
Destination reports include inbound and outbound reports. Both reports have a TopN Traffic Report
for Destination Host pie chart. The pie chart displays the distribution of traffic that generated by
the TopN destination hosts for all interfaces in the selected traffic analysis task or for an interface
in a task. Both reports also have the TopN Traffic List for Destination Host, which provides a list of
the TopN destination hosts measured by volume of traffic observed on all interfaces in the selected
traffic analysis task or for an interface in a task. The pie chart contains a link to traffic reports for
the selected host.
The list also contains a link to reports for the selected destination host. The host query icon
next
to the Destination IP address is a link for initiating a host query and a link to the results of the host
query. As with all of the report types for an interface task, NTA also provides a query option for
filtering reports based on criteria you define.
To view the reports for an interface task, click the Destination tab to view traffic reports for the
selected interface traffic analysis task.
Query destinations
NTA enables you to change the filter criteria for destination reports. You can change the default
settings for destination host, or time range to customize the charts and lists displayed under the
Destination tab.
1. In the query criteria area in the upper right corner of the destination report, click the query
criteria icon
. On the list that appears, select Last 1 hour, Last 3 hours, Last 12 hours, Last
2.
24 hours, Last 7 days, Last 30 days, Last 3 months, or Custom. Click the Query icon
in
the query criteria area to set the time range for the destination report.
To customize the time range for the destination report, select Custom form the list that appears
3.
in the query criteria area, or click the Advanced icon

Destination HostEnter the IP address or address range in the Destination Host field. To
enter the IP address for a single Interface, enter the IP address using dotted decimal
notation.
10.153.89.10

10.153.89.0/255.255.255.0

121
10.153.89.0/24

a001:410:0:1::1

a001:410:0:1::1/64
time.
time.
4.
Click OK.
5.
a.
b.
c.

on the toolbar.
d.
e.

on the toolbar.
f.
g.
Adobe Acrobat (PDF)

Click Export.
TopN traffic report for destination host

The TopN Traffic Report for Destination Host In/Out bar chart displays the TopN destination hosts
with the most inbound/outbound traffic on all interfaces in a certain period of time in a selected
interface traffic analysis task. Click a bar in the bar chart to view the traffic analysis report of each
destination host.
distribution of inbound/outbound traffic of TopN destination hosts on all interfaces in the selected
traffic analysis task for the selected time range. Each slice of the pie chart is a link to traffic reports
for the selected destination host.
122
Figure 37 Destination Report: TopN Traffic Report for Destination Host - In/Out
TopN traffic list for destination host

The TopN Traffic List for Destination Host In/Out provides a list of the TopN destination hosts
measured by volume of inbound/outbound traffic observed on all interfaces in the selected interface
traffic analysis task for the selected time range. This list has the destination IP address, total volume
of traffic generated by the associated destination Interface, rate of traffic, and the percentage of
all observed traffic generated by the destination Interface.
The IP address is a link to reports for the selected destination host. The host query icon
next to
the Destination IP address is a link for initiating a destination host query and a link to the results
of the query.
Figure 38 Destination Report: TopN Traffic List for Destination Host- In/Out
Traffic trend report for destination host

on the TopN Traffic Report for Destination Host report for the destination host you want to view
statistics for. Or, click the IP address for the destination host you want to view statistics for from
the TopN Traffic List for Destination Host list.
123
The Traffic Trend Report for Destination Host line chart provides the average rate of traffic for the
selected destination host. By default, the Traffic Trend Report for Destination Host chart displays
statistics for the previous hour.
period.
Click Back to return to the main Destination host report page.
Figure 39 Destination Report: Traffic Trend Report for Destination Host
Traffic details
on the TopN Traffic Report for Destination Host report for the destination host you want to view
statistics for. Or, click the IP address for the destination host you want to view statistics for from
the TopN Traffic List for Destination Host list.
The Traffic Details for a destination host table provides two lists. The TopN Source Hosts
Communicating with the Destination Host displays the TopN source host IP addresses, the volume
of traffic sent and received between this destination host and the sources, and the percentage of
all traffic observed for this destination host and the source hosts.
The TopN Applications Communicating with the Destination Host displays the TopN applications,
the volume of traffic attributed to the associated application for the selected destination host, and
the percentage of the associated application traffic observed for this destination host.
Figure 40 Destination Report: Traffic Details
Session reports
A session is a unique source and destination host pair. Session reports include inbound and
outbound reports. Both reports have the TopN Traffic Report for Session Host pie chart. The pie
chart displays the distribution of the traffic that generated by the TopN session hosts for all interfaces
in the selected traffic analysis task or for an interface in a task for the selected time range. Both
reports also have the TopN Traffic List for Session Host, which provides a list of the TopN session
hosts measured by volume of traffic observed on all interfaces in the selected interface traffic
124
analysis task or for an interface in a task. The pie chart contains a link to traffic reports for the
selected session.
The list also contains a link to reports for the selected session host. The host query icon
next to
the Source Host and Destination Host IP address is a link for initiating a host query and a link to
the results of the host query. As with all of the report types for an interface task, NTA also provides
a query option for filtering reports based on criteria you define.
To view the reports for an interface task, click the Session tab to view traffic reports for the selected
Query sessions
NTA enables you to change the filter criteria for session reports. You can change the default settings
for source or destination session pair information, or time range to customize the charts and lists
displayed under the Session tab.
1. In the query criteria area in the upper right corner of the session report, click the query criteria
icon
2.
in the query
criteria area to set the time range for the session report.
To customize the time range for the session report, select Custom from the list that appears in
3.

Source HostIn the Source Host field, enter the IP address or address range. To enter the
IP address for a single Interface, enter the IP address using dotted decimal notation.
10.153.89.10

10.153.89.0/255.255.255.0

10.153.89.0/24

a001:410:0:1::1

a001:410:0:1::1/64
Destination HostIn the Destination Host field, enter the IP address or address range. To
enter the IP address for a single Interface, enter the IP address using dotted decimal
notation.
time.
time.
4.
Click OK.
125
5.
a.
b.
c.

on the toolbar.
d.
e.

on the toolbar.
f.
g.
Adobe Acrobat (PDF)

Click Export.
TopN traffic report for session host

The TopN Traffic Report for Session Host In/Out pie chart displays the distribution of
inbound/outbound traffic for TopN source and destination session pairs for all interfaces in the
selected traffic analysis task or for an interface in a task for the selected time range. Each slice of
the pie chart is a link to traffic reports for the selected source and destination session pair.
Figure 41 Session Report: TopN Traffic Report for Session Host In/Out
TopN traffic list for session host

The TopN Traffic List for Session Host In/Out provides a list of the TopN session source and
destination pairs measured by volume of inbound/outbound traffic observed on all interfaces in
the selected interface traffic analysis task for the selected time range. This list includes the source
and destination IP addresses, total volume of traffic generated by the source and destination session
pair, rate of traffic, and the percentage of all observed traffic generated between the source and
destination session pair.
The icon
in the Details field is a link for viewing reports for the selected session or
source/destination pair. The Interface query icon

next to the Source Host and Destination Host
IP address fields is a link for initiating a host query and a link to the results of the query.
126
Figure 42 Session Report: TopN Traffic List for Session Host In/Out
Session host traffic trend report

on the TopN Traffic Report for Session Host report for the session pair you want to view statistics
for. Or, click the Details icon
on the TopN Traffic List for Session Host.
The Session Host Traffic Trend Report line chart provides the average rate of traffic for the source
and destination host pair. By default, the Session Host Traffic Trend Report chart displays statistics
period.
Click Back to return to the main Session report page.
Figure 43 Session Report: Session Host Traffic Trend Report
TopN applications for session host

on the TopN Traffic Report for Session Host report for the session pair you want to view statistics
for. Or, click the Details icon
The TopN Applications for Session Host displays the TopN applications observed for the selected
session pair, the volume of traffic sent and received between this session pair, and the percentage
of all traffic observed for the session pair.
Figure 44 Session Report: TopN Applications for Session Host
127
5 VLAN monitoring
This chapter of the NTA administrator guide provides you with information on VLAN monitoring
in NTA, including how NTA analyzes network flow records report on network traffic from VLAN
perspective. This chapter explores reporting options for VLAN traffic analyses and reviews
configuration issues around VLAN monitoring and traffic analysis tasks and the reports they generate.
This chapter also explores the process for adding VLAN traffic analysis tasks, including step-by-step
instructions for adding, modifying, and deleting tasks from NTA. It also provides a survey of the
summary reports for all VLAN tasks and a look at the more granular reports for an individual VLAN
traffic analysis task.
VLAN traffic analysis overview

VLAN traffic analysis tasks analyze network flow data by the VLAN you specify in VLAN traffic
analysis tasks. NTA parses all network flow data and provides statistical views of traffic in a VLAN
traffic analysis task. For example, NTA provides source and destination host information reporting
by VLAN, displaying the rate of traffic attributed to specific source or destination hosts that send
or receive traffic from the selected VLAN.
In general, the NTA VLAN traffic analysis tasks provide traffic statistics for the VLAN configured
in every VLAN traffic analysis task. The VLAN traffic reports include rate of traffic for all VLANs in
all tasks, for all VLANs in each task, and for individual VLANs in a task. VLAN statistics include
traffic rate by application, source host, destination host, and a session or source/destination host
pair. These reports are organized in layers from summarized information for all tasks to detailed
reporting for specific VLANs configured for an individual VLAN traffic analysis task.
To use VLAN traffic analysis, follow these guidelines:
1. To collect VLAN traffic statistics, the traffic direction (incoming or outgoing) must be identified.
Otherwise, the traffic is counted repeatedly. NTA globally controls the direction of VLAN traffic
through parameter management. By default, the incoming VLAN traffic statistics are collected.
2. VLAN traffic analysis is available on only devices supporting sFlow. The NetFlow and
NetStream traffic statistics packets do not carry VLAN tags.
VLAN traffic analysis reporting overview

After you create the first VLAN traffic analysis task, NTA creates an entry called
VLAN Traffic
Analysis Task under the section Traffic Analysis and Audit on the left navigation tree.
Click VLAN Traffic Analysis Task on the left navigation tree to view the summary report for all VLAN
traffic analysis tasks.
to the right of VLAN Traffic Analysis Task.
The VLAN Traffic Analysis Task shortcut menu appears to display all VLAN traffic analysis tasks
created in NTA. Click the name link for a task to view the VLAN traffic analysis report of the task.
To view the VLAN traffic analysis report of a VLAN in a VLAN traffic analysis task, click the Expand
icon next to the task on the shortcut menu to display the all VLANs in the task. Click the name
link for a VLAN to view the VLAN traffic analysis report of the individual VLAN.
The summary VLAN traffic analysis report includes the following contents:
128
reporting for all VLANs specified in all VLAN traffic analysis tasks summarized by task. Each
VLAN monitoring
bar in the graph is a link to more detailed reporting for the selected task. Each of these report
types includes several reports for the selected task:
TrafficReports include traffic trends that display the average inbound or outbound rate
per second, TopN by ToS, and the individual data samples for all VLANs for the selected
task or for a VLAN in a task.
ApplicationReports include a table displaying percentage of application traffic generated

by all VLANs in a task and a graph displaying average rate of application traffic for all
VLANs in the selected task or for an individual VLAN in a task.
SourceReports include a pie chart displaying the percentage of traffic generated by

the TopN source hosts and a table displaying volume and percentage of traffic generated
for each of the TopN source hosts for all VLANs in the selected task or for an individual
VLAN in a task. The pie chart is a link to more detailed reporting for the selected host.
DestinationReports include a pie chart displaying the percentage of traffic generated

by the TopN destination hosts and a table displaying volume and percentage of traffic
generated for each of the TopN destination hosts for all VLANs in the selected task or for
an individual VLAN in a task. The contents of the pie chart link to more detailed reporting
for the selected host.
SessionReports include a pie chart displaying the percentage of traffic generated by

the TopN source and destination host pairs and a table displaying volume and percentage
of traffic generated for each of the TopN source and destination host pairs for all VLANs
in the selected task or for an individual VLAN in a task. The contents of the pie chart link
to more detailed reporting for the selected session.
Traffic Trend and TopN Application for Selected Task (Last 1 Hour)Provides per second
average traffic rate summarized by VLAN traffic analysis task for inbound or outbound traffic
for all VLAN for the selected task or for an individual VLAN in a task. A second set of pie
charts reveals the distribution of traffic for the TopN applications, with one chart for inbound
traffic and one chart for outbound traffic.
Summary List (Last 1 Hour)Provides per second traffic rate and the last hour traffic statistics
summarized by VLAN traffic analysis task for inbound or outbound traffic for all VLANs in all
tasks.
VLAN traffic analysis configuration considerations

When you add a VLAN to a task, you must decide which VLAN belong to each task. This determines
how NTA groups the VLANs for analysis, reporting, and navigation purposes. It is also an important
decision because viewing statistics in juxtaposition to each other provides an additional layer of
analysis and interpretation of data. Additional considerations are summarized in the following list.
By default, NTA does not monitor any VLANs. You must create a task for every VLAN, or
group of VLANs, that you want to monitor and report on.
You define how NTA groups VLANs for analysis and reporting purposes. NTA presents VLAN
traffic analysis tasks in the NTA left navigation system and provides summarized VLAN reporting
based on the way you have organized VLANs into tasks.
You can add one or more VLANs from one or more devices into a single task. You are not
limited to adding VLANs from a single device into one task. HP recommends adding one
VLAN into only one VLAN traffic analysis task to facilitate collecting traffic statistics.
Add only VLANs for which you want to view statistics. Do not add all of the VLANs on a
device unless you want to view reporting for all VLANs.
When you add a VLAN traffic analysis task, you must specify the devices and VLANs for
which traffic statistics are analyzed and collected. When you select devices, NTA presents a
list of all devices that NTA knows about. This list is generated from the devices added to NTA
VLAN traffic analysis overview
129
using the Device Management feature. If the devices you want to add do not appear on this
list, and if they are not included in another traffic analysis task, it is likely that the device has
not been added to NTA or it has not been selected in the NTA server configuration in Server
Management. For more information on selecting devices in NTA server management, see
Modifying an NTA server configuration. If the VLAN management module is deployed,
VLAN information is configured automatically on devices from the VLAN management module,
and you only need to select the target VLANs. Otherwise, you must manually configure the
target VLANs.
If you do not add a VLAN to a task, NTA will not report on it.
Careful planning and documenting of VLAN tasks is valuable to help identify the task to which
an application has been added when you begin creating tasks and.
Enable sFlow on devices and interfaces, and send traffic data to NTA. Only devices supporting
sFlow can collect VLAN traffic statistics.
Managing VLAN traffic analysis tasks

create. Until a task is created, NTA will not analyze the data that devices forward to it or that it is
configured to receive. Effective management of tasks results in the reporting you need. This section
explains the step-by-step process for adding, modifying, or removing VLAN traffic analysis tasks
in NTA.
Viewing VLAN traffic analysis tasks

2. Click the Traffic Analysis Task Management link in the Settings portion of the Traffic Analysis
and Audit page. NTA displays all tasks in the Traffic Analysis Task List in the main pane of
the Task Management page.
Task list contents
3.
Task NameThe name of the task. This field is a link to the Traffic Analysis Task Details
page for the task.
Task DescriptionThe description for the associated task.
Task TypeThe task type. Options are interface, VLAN, probe, application, host, VPN,
or inter-business.
Baseline AnalysisDisplayed when the Baseline Analysis feature is enabled in NTA

parameters. The Baseline Analysis feature provides an additional layer of analysis to
NTA reports by including baseline trend data that has been collected for a minimum of
one week.
task.
to the Modify Traffic Analysis Task page for the associated

To view NTA for the most current Traffic Analysis Task List, click the Refresh button in the upper
left corner of the Traffic Analysis Task List.
and Baseline Analysis fields. Click the column label to sort the list by the selected field. The column
label that allows you to toggle between the sort options specific to each field.
130 VLAN monitoring
Viewing VLAN traffic analysis task details

To view the details for an individual VLAN traffic analysis task:
and Audit page.
Management page.
3.
To view the details for an individual task, click the Task Name field of the Traffic Analysis Task
List with a Task Type of VLAN.
4.
Task NameThe name of the task.
Task DescriptionThe description of the task.
ServerThe name or IP address of the NTA server.
Task TypeThe task type. Options are interface, VLAN, probe, application, host, VPN,
or inter-business.
Statistics DirectionDirection of the VLAN traffic whose statistics are collected by NTA.
Options are In and Out.
ReaderThe IMC operator groups that have been granted access to view the reports
generated by the associated traffic analysis task.
Baseline AnalysisWhether the Baseline Analysis feature is enabled for the task. If the
Baseline Analysis field is not displayed, the Baseline Analysis feature is disabled. For
more information on configuration options for the NTA parameters, including the Baseline
Analysis feature, see Configuring NTA traffic analysis parameters.
VLAN InformationDisplays information about the VLAN traffic statistics that are collected
and analyzed in the VLAN analysis tasks. The VLAN information includes the VLAN ID
and VLAN name.
Device InformationDisplays information about the device traffic statistics that are collected
and analyzed in the VLAN analysis tasks. The device information includes the device
name and device IP. Only traffic sent from these devices can be collected and analyzed
by NTA.
Adding a VLAN traffic analysis task

To add a VLAN traffic analysis task:
and Audit page.
page.
3.
Click Add.
The Add Traffic Analysis Task page is displayed.
4.
5.
6.
To add a VLAN traffic analysis task, click the option next to VLAN on the Select Task Type
section.
Click Next. The Add Traffic Analysis Task page is refreshed.
131
Therefore, assigning a descriptive and meaningful name to a task helps you to navigate to
reports quickly and easily.
7.
8.
Enter a description for this task in the Task Description field.

Select the NTA sFlow collection server from the Server list.
9.
To select the operator groups that have access to the analysis and reports provided by this
VLAN task, click the Select button to the right of the Reader field. The Choose Operator Group
dialog box is displayed.
a. From the Operator Group List, select the checkbox next to the operator group Name for
each operator group you want to allow access. To select all operator groups, select the
checkbox in the upper left corner of the column label field.
b. Click OK to accept your operator group selection.
10. To enable baseline analysis for the reports generated by this task, select Enable from the
Baseline Analysis list.
If you select Enable, the baseline trendline is displayed on graphs approximately seven days
after the creation of the task. Initially, the baseline trendline displays statistics based on the
first week of data collection, and is adjusted as more data is collected.
To disable baseline analysis, select Disable.
If the Baseline Analysis list is not displayed, the baseline analysis feature is not enabled in the
NTA parameters. For more information on configuration options for the NTA parameters,
including the Baseline Analysis feature, see Configuring NTA traffic analysis parameters.
11. To specify the VLANs for which traffic statistics are collected and analyzed, click Select. Options
are automatic and manual. After configuring the VLANs, click Add. The information for the
VLANs is displayed on the VLAN list.
AutomaticNTA uses the VLAN management module to obtain the VLAN information in
the network. Select the VLANs for which traffic statistics are collected and analyzed. For
more information about the VLAN management module, see IMC Base Platform
Administrator Guide.
ManualManually enter the IDs and names of VLANs for which traffic statistics are
collected and analyzed.
12. On the device list, select the devices for which the traffic statistics are collected and analyzed.
13. Click OK to create the VLAN traffic analysis task.
When you create a VLAN traffic analysis task, NTA creates an entry called
VLAN Traffic Analysis
Task on the left navigation tree. Click the entry to view the summary report for the VLAN traffic
analysis tasks.
to the right of VLAN Traffic Analysis Task.
The VLAN Traffic Analysis Task shortcut menu appears to display all VLAN traffic analysis tasks
created in NTA. Click the name link for a task to view the VLAN traffic analysis report of the task.
Click the Expand icon next to a VLAN traffic analysis task on the shortcut menu to display all
VLANs in the task. Click the name link for a VLAN to view the VLAN traffic analysis report of the
individual VLAN.
For more information on accessing and viewing VLAN traffic analysis reports, see Viewing VLAN
traffic analysis reports.
132
VLAN monitoring
NOTE: You must also configure sFlow traffic from the configured devices to the NTA server. To
do so, see device configuration guides.
Modifying a VLAN traffic analysis task

To modify a VLAN traffic analysis task:
and Audit page.
Management page.
3.
associated with the VLAN traffic analysis task you want to modify.
The Modify Traffic Analysis Task page is displayed.

4.
Modify the task name in the Task Name field.

5.
6.
Modify the task description in the Task Description field.

Select the NTA sFlow collection server from the Server list.
the NTA server.
If the NTA server is installed on the same server as the IMC Platform, the IP address is the
loopback address of the IMC server.
7.
VLAN task, click the Select button next to the Reader field. The Operator Group List dialog
box is displayed.
each operator group you want to grant access to.
To select all operator groups, select the checkbox in the upper left corner of the column
label field.
b.
Click OK to accept the additions to operator group.

The selected operator groups are displayed in the Reader field.
c.
d.
e.
To revoke operator group access to the results of this VLAN traffic analysis task, highlight
the groups you want to remove in the Reader field.
Click Delete.
8.
To enable baseline analysis for the reports generated by this task, select Enable from the
Baseline Analysis list. To disable baseline analysis, select Disable. If you select Enable, the
baseline analysis trendline is displayed on graphs approximately seven days after the creation
of the task. Initially the baseline trendline displays statistics based on the first week of data
collection and is adjusted as more data is collected.
If the Baseline Analysis list is not displayed, the baseline analysis feature is not enabled in the
9.
To specify the VLANs for which traffic statistics are collected and analyzed, click Select. Options
are automatic and manual.
AutomaticNTA uses the VLAN management module to obtain the VLAN information in
the network. Select the VLANs for which traffic statistics are collected and analyzed. For
133
more information about the VLAN management module, see IMC Base Platform
ManualManually enter the IDs and names of VLANs for which traffic statistics are
collected and analyzed.
After configuring the VLANs, click Add. The information for the VLANs is displayed on the
VLAN list. To remove a VLAN from a VLAN traffic analysis task, click the icon
field associated with the VLAN you want to remove.
in the Delete
10. On the device list, select the devices for which the traffic statistics are collected and analyzed.
11. Click OK to accept modifications to the VLAN traffic analysis task.
Deleting a VLAN traffic analysis task

To delete a VLAN traffic analysis task:
and Audit page.
page.
3.
4.
Click the icon

in the Delete field associated with the VLAN traffic analysis task you want
to delete.
Click OK to confirm the deletion of the selected VLAN traffic analysis task.
The Traffic Analysis Task List is updated to reflect the removal of the deleted task.
Viewing VLAN traffic analysis reports

NTA provides levels of reporting for all traffic analysis tasks. The highest level provides summarized
reporting for all tasks of the same type. The task types are interface, VLAN, probe, application,
host, VPN, or inter-business. To access these reports, click the highest level entry on the left
navigation tree in the Traffic Analysis and Audit section. To view summarized reporting for all
VLAN tasks, click the
VLAN Traffic Analysis Task entry on the left navigation tree.
NTA also provides more detailed reporting for individual tasks, including reports for every VLAN
configured in a VLAN traffic analysis task. NTA groups individual tasks by type. All VLAN tasks
can be found on the VLAN Traffic Analysis Task menu.
To view the VLAN Traffic Analysis Task shortcut menu, move your mouse pointer to the shortcut
menu icon
to the right of the
VLAN Traffic Analysis Task. The shortcut menu displays all
VLAN traffic analysis tasks created in NTA. Click the name link for a task to view the VLAN traffic
analysis report of the task. Click the Expand icon next to a task on the shortcut menu to display
all VLANs in the VLAN traffic analysis task. Click the name link for a VLAN to view the VLAN traffic
analysis report of the individual VLAN.
This section explains the reporting options available for VLAN traffic analysis tasks, the process
for navigating to VLAN traffic analysis tasks, the summary reports available for VLAN tasks, and
the reports and features available for individual VLAN traffic analysis tasks.
Navigating to VLAN traffic analysis reports

To navigate to VLAN traffic reports:
1. Click the Service tab.
2.
134
To view summary reporting for all VLAN tasks, click the

VLAN Traffic Analysis Task entry
in the Traffic Analysis and Audit section on the left navigation tree.
VLAN monitoring
3.
the right of
to
VLAN Traffic Analysis Task.
The VLAN Traffic Analysis Task shortcut menu appears to display all VLAN traffic analysis
tasks created in NTA. Click the name link for a task to view the VLAN traffic analysis report
of the task.
4.
To view the VLAN traffic analysis report of a VLAN in a VLAN traffic analysis task, click the
Expand icon next to a task on the shortcut menu to display the all VLANs in the VLAN traffic
analysis task. Click the name link for a VLAN to view the VLAN traffic analysis report of the
individual VLAN.
Summary reports for all VLAN traffic analysis tasks

Summarized reports are the highest level of reporting for all tasks of the same type. To access these
reports, click the
VLAN Traffic Analysis Task entry on the left navigation tree in the Traffic
Analysis and Audit section. These reports provide navigation aids to the reports for an individual
task. This section describes the summarized reports and the features in the reports.

The Average Rate (Last 1 Hour) bar graph summarizes the average rate of traffic for all VLANs in
every VLAN traffic analysis task, grouped by task during the last hour. The bars in the graph are
links to the detailed reports for the selected task.
The Traffic Trend line chart and the TopN Application for selected task pie chart:
The Traffic Trend line chart summarizes the average rate of inbound or outbound traffic for
all VLANs in the selected VLAN traffic analysis tasks during the last hour.
The TopN Application pie chart displays the distribution of inbound or outbound traffic for the
TopN applications for all VLANs in the selected VLAN traffic analysis task during the last hour.
135
Figure 46 Summary Report: Traffic trend and TopN application for selected task (last 1 hour)
No data is graphed on these charts until you specify a task.

1. To select the task, click the Select Task link in the upper right corner of the Traffic Trend and
The Choose NTA Task dialog box is displayed.
2.
3.
Select the checkbox next to the VLAN traffic analysis tasks you want to view in this report.
Click OK. The page displays the Traffic Trend and TopN Application reports for the selected
VLAN task.

The Summary List (last 1 hour) displays inbound and outbound VLAN traffic volume and the rate
of each VLAN traffic analysis task during the last hour.
Figure 47 Summary Report: Summary list (last 1 hour)
Task NameThe name of the VLAN traffic analysis task. The field is a link to reports for the
associated task.
TrafficVolume of incoming and outgoing traffic for the VLAN traffic analysis task in the last
hour.
RateRate of incoming and outgoing traffic for the VLAN traffic analysis task in the last hour.
The Add button at the top of the Summary List provides a shortcut to the Add VLAN Traffic Analysis
Task page. For more information on adding VLAN traffic analysis tasks, see Adding a VLAN
136
VLAN monitoring
Detailed reports for a VLAN traffic analysis task

In addition to summary reporting for all tasks, NTA provides a suite of reports for viewing VLAN
data. VLAN reports are organized into the following reporting groups: traffic, application, source,
destination, and session.
Traffic reports provide overall traffic statistics.
Application reports provide traffic statistics by application, by protocol, and by application

category. The details for an individual application, protocol, or application category can be
accessed. The application reports have the following types, where the application reports are
for Layer 4 through Layer 7 applications.
Application reports
Protocol reports
Source reports provide rate and percentage distribution of traffic by source host.
Destination reports provide rate and percentage distribution of traffic by destination host.
Session reports provide rate and percentage distribution of traffic for source and destination
pairs.
Source, destination, and session reports allow you to access traffic reports for individual hosts and
sessions.
Traffic reports
Traffic reports provide overall traffic statistics for all VLANs configured in a VLAN traffic analysis
task, or for an individual VLAN in a task. Click the Traffic tab to view traffic reports.
The traffic report contains the following fields:
Query TrafficThe time range for the data displayed in the traffic report.
Traffic TrendThe average inbound traffic rates or outbound traffic rates for all VLANs in the
task. This chart also provides total traffic volume, minimum average, maximum average, and
average statistics in a table.
Flux Distribute In VLANThe average rate of inbound or outbound traffic for every VLAN
configured in the task.
VLAN Flux TrendThe average inbound traffic rates or outbound traffic rates for selected
VLANs configured in the task.
Traffic DetailsThe data collection samples that include timestamp, total volume of traffic and
traffic rate in seconds for inbound traffic or outbound traffic.
Query traffic
NTA enables you to change the filter criteria for traffic reports. You can change the default settings
for the time range for the graphs and tables to customize the reports displayed.
icon
in the query
137
2.
a. Enter or select the following query criteria:
Start TimeEnter the start time of the time range, in the format of YYYY-MM-DD
hh:mm. Or, click the Calendar icon
specify a start time.
to the right of the input box to manually
end time.
b.
to the right of the input box to manually specify an
Click OK.
Traffic trend
The Traffic Trend line chart displays average inbound or outbound traffic rates for all VLANs in the
traffic analysis task or for a specific VLAN in a VLAN task. This chart also shows total traffic volume
statistics, maximum average, minimum average, and average in a table for inbound or outbound
traffic for the associated task or VLAN for the selected time range.
If the Baseline Analysis feature is enabled in the traffic analysis task, the traffic trend chart displays
the baseline for the average traffic. For more information on configuring the Baseline Analysis
feature for the VLAN traffic analysis task, see Adding a VLAN traffic analysis task.
If you enabled the Peak Traffic Analysis feature and selected a time range that is a minimum of 6
hours earlier than the current time, NTA displays the Max./Min. Peak Rate chart to the right of the
Traffic Trend chart. For more information on enabling Peak Traffic Analysis, see Configuring NTA
traffic analysis parameters.
The Peak Rate line chart displays the minimum and maximum peak traffic rate for inbound or
outbound traffic for the associated task during the selected time range.
138
VLAN monitoring
Figure 49 Traffic Report: Peak Rate
To view these charts for an individual VLAN, click a VLAN bar in the Flux Distribute In VLAN graph.
For more information on the Flux Distribute In VLAN report, see VLAN traffic distribution reports.
To view data for a later period, click the Next button in the upper right corner of the Traffic
Trend chart.
VLAN traffic distribution

If the task you selected has multiple VLANs configured for it, the VLAN Traffic Distribution bar chart
is displayed. This bar chart displays the average rate of inbound or outbound traffic for every
VLAN configured in the task for the selected time range. The bars in the graph link to the reports
for the selected VLAN.
Figure 50 Traffic Report: VLAN Traffic Distribution
VLAN traffic trend

The VLAN Traffic Trend line graph displays the average traffic trend for the selected VLANs.
Figure 51 Traffic Report: VLAN Traffic Trend
139
No data is logged on these line charts until you specify one or more VLANs.
1. To select the VLANs, click the Select VLANs link in the upper right corner of the VLAN Traffic
Trend title bar. The Choose VLAN dialog box is displayed.
2. Select the checkbox next to each VLAN you want to view in this report.
3. Click OK. The page displays the VLAN Traffic Trend reports for the selected VLANs.
Traffic details
The Traffic Details report provides the data collection samples for traffic statistics, based on the
time range for the selected traffic analysis task or for a selected VLAN in a task. This report includes
timestamp, total volume of traffic, and traffic rate in seconds for both inbound and outbound traffic.
Application reports
Application reports collect the statistics for all VLANs or an individual VLAN in a traffic analysis
task, and analyze traffic of unknown applications. After you click the Application tab, application
reports are displayed by default.
Application reports contents
Query ApplicationsSet the time range for the application report.
Application ListProvides a list of applications for all VLANs in the selected traffic analysis
task or for a selected VLAN in a task.
Application Traffic TrendDisplays average inbound or outbound traffic rates for all
applications for all VLANs in the selected traffic analysis task or for a selected VLAN in a task.
Application Traffic Trend for Individual ApplicationProvides average rate of traffic for an
individual application for all VLANs in the selected traffic analysis task or for a VLAN in a
task.
TopN Application Usage List for an Individual ApplicationContains the source host list and
the destination host list.
Source Host ListProvides a list of the TopN source hosts measured by volume of traffic
observed on all VLANs in the selected traffic analysis task or for a VLAN in a task.
Destination Host ListProvides a list of the TopN destination hosts measured by volume
of traffic observed on all VLANs in the selected traffic analysis task or for a VLAN in a
task.
TopN traffic report for unknown TCP/UDP application by PortDisplays the distribution of
traffic by TCP or UDP port number for all application traffic that cannot be attributed to an
application for all VLANs in the selected traffic analysis task.
TopN Traffic List for Unknown TCP/UDP Application by PortDisplays a list of the TopN
unknown TCP or UDP applications measured by volume and rate of traffic observed on all
VLANs in the selected traffic analysis task.
140 VLAN monitoring
Unknown Application Traffic Information by PortProvides the average rate for an individual
unknown application for all VLANs in the selected traffic analysis task.
TopN Traffic Details List for Unknown TCP/UDP Applications by PortDisplays the topN source
host and destination host pairs communicating through the current unknown TCP/UDP
application port.
TopN traffic report for unknown TCP/UDP application by SourceProvides the distribution of
traffic by source for all application traffic that cannot be attributed to an application for all
VLANs in the selected traffic analysis task.
TopN Traffic List for Unknown TCP/UDP Application by SourceProvides a list of the displays
TopN source hosts using unknown TCP/UDP applications on all VLANs in the selected traffic
analysis task.
Unknown Application Traffic Information by SourceProvides the average traffic rate for an
individual source host using unknown TCP/UDP applications for all VLANs in the selected
traffic analysis task or a VLAN in a task.
TopN Traffic Details List for Unknown TCP/UDP Applications by SourceDisplays the topN
destination hosts that communicate with the current source host through unknown TCP/UDP
applications.
TopN traffic report for unknown TCP/UDP application by DestinationDisplays the distribution
of traffic by destination for all application traffic that cannot be attributed to an application
for all VLANs in the selected traffic analysis task.
TopN Traffic List for Unknown TCP/UDP Application by DestinationDisplays topN destination
hosts using unknown TCP/UDP applications on all VLANs in the selected traffic analysis task.
Unknown Application Traffic Information by DestinationDisplays the average traffic rate for
an individual destination host using unknown TCP/UDP applications for all VLANs in the
selected traffic analysis task or a VLAN in a task.
TopN Traffic Details List for Unknown TCP/UDP Applications by DestinationDisplays the
topN source hosts that communicate with the current destination host through unknown TCP/UDP
applications.
The reports for unknown TCP/UDP applications can be used only when the unknown application
traffic analysis feature is enabled in the system parameter management.
Query applications
To view reports by application, you must configure the filter criteria for application reports. The
application query option enables you to change the default settings for query type, application,
or time range to customize the reports displayed.
1.
2.
Select Application from the Query Type list. The page displays the report for Layer 4 through
Layer 7 applications.
141
3.
ApplicationTo select the application you want to search for, click the Select button on
the right of the Application field.
The Query Applications dialog box is displayed, and an empty Application List is displayed
in the lower portion of the dialog box.
a.
b.
the dialog box:
ApplicationIn the Application field, enter a partial or complete name.
Pre-definedTo search for applications that are predefined, select Yes in the
Pre-defined list. To filter for applications that are user-defined, select No in the list.
To include system or predefined and user-defined applications, select Not limited.

The results of your query are displayed in the Application List below the Query Applications
section. To display the full Application List, click Query without entering any search criteria.
c.
Click the boxes next to the applications you want to search for.
Click OK to add the applications to the filter. The applications you selected are displayed
in the Application field. Click the Clear button located to the right of the Application field
to clear all selected applications.
time.
time.
4.
Click OK.
Application list
The Application List displays a list of the applications observed for all VLANs in the selected traffic
analysis task or for a VLAN in a task for the selected time range. This list includes the application
name, a link for viewing the ports for all unknown applications, total volume of traffic for the
associated application, rate of traffic, and the percentage of traffic on all VLANs generated by
the associated application. The application name in the Application field is a link to reports for the
selected application.
142
VLAN monitoring
The Application Traffic Trend stacked area chart displays the average inbound or outbound traffic
rates for all applications observed for all VLANs in the selected traffic analysis task or for a VLAN
in a task for the selected time range. If there is more than one VLAN for the selected task, these
statistics reflect traffic for all VLANs configured in a task.
Figure 54 Application Report: Application Traffic Trend
Application traffic trend for an individual application

The Application Traffic Trend graph displays the average rate of traffic for an individual application
for all VLANs in the selected traffic analysis task or for VLAN in a task. If there is more than one
VLAN for the selected task, this chart reflects traffic for all VLANs configured in a task.
By default, the Application Traffic Trend graph displays statistics for the previous hour.
chart.
143
Figure 55 Application Report: Application Traffic Trend for an Individual Application
TopN application usage list for an individual application

The TopN Application Usage List displays the source host list and destination host list for an individual
application for all VLANs in the selected traffic analysis task or for VLAN in a task.
Source Host List provides a list of the TopN source hosts measured by volume of traffic observed
on all VLANs in the selected traffic analysis task or for a VLAN in a task for the selected time
range. This list includes the source host IP address, total volume of traffic for the associated
source, and the percentage of all observed traffic generated by the source.
Destination Host List provides a list of the TopN destination hosts measured by volume of traffic
observed on all VLANs in the selected traffic analysis task or for a VLAN in a task for the
selected time range. This list includes the destination IP address, total volume of traffic for the
associated destination, and the percentage of all observed traffic generated by the destination.
The Host Query icon

next to the Source Host IP Address and Destination Host IP Address is a
link for initiating a host query and a link to the results of the query.
Figure 56 Application Report: TopN Application Usage List for an Individual Application
TopN traffic report for unknown TCP/UDP application by port

The TopN Traffic Report for Unknown TCP/UDP Application by Port displays the distribution of
traffic by TCP or UDP port number, by source host, or by destination host for all application traffic
that cannot be attributed to an application for all VLANs in the selected traffic analysis task for the
selected time range. Click Port, Source Host, or Destination Host to change the data organization.
144 VLAN monitoring
Figure 57 Application Report: TopN Traffic Report for Unknown Application by Port
To analyze traffic for unknown TCP/UDP applications, click the icon

in the Unknown Application
field of the Application List report for the application for which you want to view this report.
TopN traffic list for unknown TCP/UDP application by port
The TopN Traffic List for Unknown TCP/UDP Application by Port displays a list of the TopN unknown
TCP or UDP applications, measured by volume and rate of traffic observed on all VLANs in the
selected traffic analysis task for the selected time range. This list includes the TCP or UDP port
number, total volume of traffic for the associated application port, rate of traffic, and the percentage
of all observed traffic generated for the unknown application. The port number is a link to individual
reports for the selected port. The icon
port to NTA as a layer 4 application.
in the Define Application field is a link to add the selected
Figure 58 Application Report: TopN Traffic List for Unknown TCP/UDP Application by Port

The Traffic trend report for unknown TCP/UDP applications by Port displays a line chart of the
average rate for an unknown TCP/UDP port for all VLANs in the selected traffic analysis task or
a VLAN in a task. If there is more than one VLAN for the selected task, this chart reflects traffic for
all VLANs configured in a task. Click Back to return to the Unknown Application Traffic Information
page.
145
Figure 59 Application Report: Traffic Trend Report for Unknown Applications by Port
To analyze traffic for an individual TCP/UDP application by port, click the Port link on the TopN
traffic list for unknown TCP/UDP application list.
and destination host pairs measured by traffic volume, the volume of traffic sent and received
between this source host and the destination, the rate of traffic observed between the pair, and
the percentage of all traffic observed for this source and destination host pair.
Figure 60 Application Report: TopN Traffic Details for Unknown TCP/UDP Applications by Port
TopN traffic report for unknown TCP/UDP application by source

The TopN Traffic Report for Unknown TCP/UDP Application by Source displays the distribution of
traffic by source host for all application traffic that cannot be attributed to an application for all
VLANs in the selected traffic analysis task for the selected time range.
By default, the pie chart is grouped by port. Click the Source Host link to group the pie chart by
source host. Click Back to return to the main Application report page.
146
VLAN monitoring
Figure 61 Application Report: TopN traffic report for unknown TCP/UDP application by source
TopN traffic list for unknown TCP/UDP application by source

The TopN Traffic List for Unknown TCP/UDP Application by Source provides a list of the TopN
source hosts using unknown TCP/UDP applications on all VLANs in the selected traffic analysis
task for the selected time range. This list includes the source host, total volume of traffic for the
associated source host, rate of traffic, and the percentage of all observed traffic generated for the
unknown application. The source host is a link to individual reports for the selected source host.
Figure 62 Application Report: TopN traffic list for unknown TCP/UDP application by source
Traffic trend report for unknown TCP/UDP applications by source

The Traffic trend report for unknown TCP/UDP applications by Source line chart provides the
average rate for an individual source host using unknown TCP/UDP applications for all VLANs in
the selected traffic analysis task or a VLAN in a task. If there is more than one VLAN for the selected
task, this chart reflects traffic for all VLANs configured in a task. Click Back to return to the Unknown
Application Traffic Information page.
147
Figure 63 Application Report: Traffic trend report for unknown TCP/UDP applications by source
host
TopN traffic details list for unknown TCP/UDP applications by source

The TopN Traffic Details List for Unknown TCP/UDP Applications by Source displays the TopN
destination hosts communicating with the current source host through unknown TCP/UDP
applications, the port used by the unknown application, the volume of traffic sent and received
Figure 64 Application Report: TopN traffic details list for unknown TCP/UDP applications by source
TopN traffic report for unknown TCP/UDP application by destination

The TopN Traffic Report for Unknown TCP/UDP Application by Destination shows the distribution
of traffic by destination host for all application traffic that cannot be attributed to an application
for all VLANs in the selected traffic analysis task for the selected time range.
By default, the pie chart is grouped by port. Click the Destination Host link to group the pie chart.
Figure 65 Application Report: TopN traffic report for unknown TCP/UDP application by destination
148
VLAN monitoring
TopN traffic list for unknown TCP/UDP application by destination

The TopN Traffic List for Unknown TCP/UDP Application by Destination provides a list of the TopN
hosts using unknown TCP/UDP applications on all VLANs in the selected traffic analysis task for
the selected time range. This list includes the destination host, total volume of traffic for the associated
destination host, rate of traffic, and the percentage of all observed traffic generated for the unknown
application. The source host is a link to individual reports for the selected source host.
Figure 66 Application Report: TopN traffic list for unknown TCP/UDP application by destination
TopN traffic list for unknown TCP/UDP application by destination

The Traffic trend report for unknown TCP/UDP applications by Destination line chart provides the
average rate for an individual destination host using unknown TCP/UDP applications for all VLANs
in the selected traffic analysis task or a VLAN in a task. If there is more than one VLAN for the
selected task, this chart reflects traffic for all VLANs configured in a task. Click Back to return to
the Unknown Application Traffic Information page.
Figure 67 Application Report: TopN traffic list for unknown TCP/UDP application by destination
host
TopN traffic details list for unknown TCP/UDP applications by destination

The TopN Traffic Details List for Unknown TCP/UDP Applications by Destination displays the TopN
source hosts communicating with the current destination host through unknown TCP/UDP
applications, the ports used by unknown applications, the volume of traffic sent and received
149
Figure 68 Application Report: TopN traffic details list for unknown TCP/UDP applications by
destination host
Protocol Reports
Protocol reports provide the rate and percentage distribution of traffic by protocol for all VLANs
configured in a VLAN traffic analysis task or for an individual VLAN in a task. Click the Application
tab to display the default application reports. From the Query Type list, select Protocol to switch to
the protocol reports.
The protocol reports contain the following fields:
Query ProtocolsSet the time range for the protocol reports.
Protocol ListProvides a list of protocols observed for all VLANs in the selected traffic analysis
task or for a selected VLAN in a task.
Protocol Traffic TrendProvides average inbound or outbound traffic rates for all protocols
observed for all VLANs in the selected traffic analysis task or for a selected VLAN in a task.
Protocol Traffic Trend for an Individual ProtocolProvides average rate of traffic for an
individual protocol for all VLANs in the selected traffic analysis task or for a VLAN in a task.
TopN Protocol Usage List for an Individual ProtocolIncludes the source host list and the
destination host list.
task.
Query protocols
To view reports by protocol, you must configure the filter criteria for protocol reports. To customize
the reports displayed, the protocol query option enables you to change the default settings for
query type, protocol, or time range for the graphs and tables.
1.
2.
The page refreshes the report for protocols.
150
VLAN monitoring
3.
a.
b.
c.
d.
ProtocolTo select the protocol you want to search for, click the Select button located to
the right of the Protocol field. The Query Protocols dialog box is displayed and an empty
Protocols List is displayed in the lower portion of the dialog box.
dialog box:
List displayed below the Query Protocols section. To display the full Protocol List, click
Query without entering any search criteria.
Click the checkboxes next to the protocols you want to add to the application category.
Click OK to add the protocols to the filter. The protocols you selected are displayed in
the Protocol field. Click the Clear button located to the right of the Protocol field to clear
all selected protocols.
time.
time.
in the upper right corner of the protocol report. On the list that
appears, select Last 1 hour, Last 3 hours, Last 12 hours, Last 24 hours, Last 7 days, Last
30 days, Last 3 months, or Custom. Click the Query icon
to set the time range for the traffic for protocols.
4.
in the query criteria area
Click OK.
Protocol list
The Protocol List provides a list of the protocols for all VLANs in the selected traffic analysis task
or for a VLAN in a task for the selected time range. This list includes the protocol name, total volume
of traffic for the associated protocol, rate of traffic and the percentage of traffic on all VLANs
generated by the associated protocol. The protocol name in the Protocol field is a link to reports
for the selected protocol.
Figure 69 Protocol Report: Protocol List
151

The Protocol Traffic Trend stacked area chart provides average inbound or outbound traffic rates
for all protocols observed for all VLANs in the selected traffic analysis task or for a VLAN in a task
for the selected time range. If there is more than one VLAN for the selected task, these statistics
reflect traffic for all VLANs configured in a task.
Figure 70 Protocol Report: Protocol Traffic Trend
Protocol traffic trend for an individual protocol

The Protocol Traffic Trend graph provides average rate of traffic for an individual protocol for all
VLANs in the selected traffic analysis task or for VLAN in a task. If there is more than one VLAN
for the selected task, this chart reflects traffic for all VLANs configured in a task.
By default, the Protocol Traffic Trend graph displays statistics for the previous hour.
chart.

Figure 71 Protocol Report: Protocol Traffic Trend for an Individual Protocol
TopN protocol usage list for an individual protocol

The TopN Protocol Usage List includes the source host list and destination host list for an individual
protocol for all VLANs in the selected traffic analysis task or for VLAN in a task.
152
Source Host List provides you with a list of the TopN source hosts measured by volume of
traffic observed on all VLANs in the selected traffic analysis task or for a VLAN in a task for
the selected time range. This list includes the source host IP address, total volume of traffic for
the associated source, and the percentage of all observed traffic generated by the source.
Destination Host List provides you with a list of the TopN destination hosts measured by volume
of traffic observed on all VLANs in the selected traffic analysis task or for a VLAN in a task
for the selected time range. This list includes the destination IP address, total volume of traffic
VLAN monitoring
for the associated destination, and the percentage of all observed traffic generated by the
destination.
The Host Query icon
Figure 72 Protocol Report: TopN Protocol Usage List for an Individual Protocol

Application category reports provide rate and percentage distribution of traffic by application
category for all VLANs configured in a VLAN traffic analysis task or for an individual VLAN in a
task. Click the Application tab to display the application reports by default. Select Application
Category from the Query Type list to switch to the application category reports.
The application category reports contain the following fields:
Query Application CategoriesSet the time range for the application category reports.
Application Category ListProvides a list of the application categories observed for all VLANs
in the selected traffic analysis task or for a selected VLAN in a task.
Application Category Traffic TrendProvides average inbound or outbound traffic rates for
all applications observed for all VLANs in the selected traffic analysis task or for a VLAN in
a selected task.
Application Category Traffic Trend for an Individual Application CategoryProvides the

average rate for an individual application category for all VLANs in the selected traffic analysis
task or for a VLAN in a task.
TopN Application Category Usage List for an Individual Application CategoryIncludes the
source host list and the destination host list:
task.
The introduction to application category reports also applies to individual VLAN traffic reports in
VLAN traffic analysis tasks.
category reports. NTA enables you to change the filter criteria for application reports. You can
153
change the default settings for query type, application category, or time range for the graphs and
tables to customize the reports displayed.
1.
2.
Select Application Category from the Query Type list.

3.
a.
b.
c.
d.
Application CategoryTo select the application category you want to search for, click
the Select button to the right of the Application Category field. The Query Application
Categories dialog box is displayed and an empty Application Category List is displayed
Enter one or more of the following search criteria in the Query Application Categories

select No from the list. To include system or predefined and user-defined application
categories, select Not limited.
Click Query to begin your search. The results of your query are displayed in the Application
Category List displayed below the Query Application Categories section. To display the
full Application Category List, click Query without entering any search criteria.
Select the checkboxes next to the application categories you want to search for.
Click OK to add the application categories to the filter. The application categories you
selected are displayed in the Application Category field. Click the Clear button to the
right of the Application Category field to clear all selected application categories.
Start TimeEnter the start time of the timer range, in the format of YYYY-MM-DD hh:mm.
time.
End TimeEnter the end time of the timer range, in the format of YYYY-MM-DD hh:mm.
time.
Additionally, to set the start time and end time for the application category report, you
can click the query criteria icon
in the upper right corner of the application report.
On the list that appears, select Last 1 hour, Last 3 hours, Last 12 hours, Last 24 hours,
in the
query criteria area to set the time range for the traffic report for application categories.
4.
Click OK.

The Application Category List provides a list of the application categories observed for all VLANs
in the selected VLAN traffic analysis task or for a VLAN in a task for the selected time range. This
list includes the application category name, total volume of traffic for the associated application
category, rate of traffic, and the percentage of traffic on all VLANs generated by the associated
154 VLAN monitoring
Figure 73 Application Category Report: Application Category List
The Application Category Traffic Trend stacked area chart provides average inbound or outbound
traffic rates for all application categories observed for all VLANs in the selected traffic analysis
task or for a VLAN in a task for the selected time range. If there is more than one VLAN for the
selected task, these statistics reflect traffic for all VLANs configured in a task.
Figure 74 Application Category Report: Application Category Traffic Trend
Application category traffic trend for an individual application category

The Application Category Traffic Trend graph provides the average rate for an individual application
category for all VLANs in the selected traffic analysis task or for a VLAN in a task. If there is more
than one VLAN for the selected task, this chart reflects traffic for all VLANs configured in a task.
By default, this graph displays statistics for the previous hour.
chart.
155
Figure 75 Application Category Report: Application Category Traffic Trend Report for an Individual
Application Category
TopN application category usage list for an individual application category

The TopN Application Category Usage List includes Source Host List and Destination Host List for
an individual protocol for all VLANs in the selected traffic analysis task or for VLAN in a task.
Source Host List provides a list of the TopN source hosts measured by volume of traffic observed
on all VLANs in the selected traffic analysis task or a VLAN in a task for the selected time
range. This list includes the source host IP address, total volume of traffic for the associated
source and the percentage of all observed traffic generated by the source.
Destination Host List provides a list of the TopN destination hosts measured by volume of traffic
observed on all VLANs in the selected traffic analysis task or a VLAN in a task for the selected
time range. This list includes the destination IP address, total volume of traffic for the associated
destination and the percentage of all observed traffic generated by the destination.
The Host Query icon

link for initiating a host query and a link for to the results of the query.
Figure 76 Application Category Report: TopN Application Category Usage List
Source reports
Source reports provide rate and percentage distribution of traffic by source host for all VLANs
configured in a VLAN traffic analysis task or for an individual VLAN in a task. Click the Source
tab to view traffic reports.
Source reports contain the following fields:
156
Query SourcesSet the time range for the source host reports.
TopN Traffic Report for Source HostThe pie chart displays the distribution of traffic that
generated by the TopN source hosts for all VLANs in the selected traffic analysis task or for
a VLAN in a task.
VLAN monitoring
TopN Traffic List for Source HostProvides a list of the TopN source hosts, measured by volume
of traffic on all VLANs in the selected traffic analysis task or for a VLAN in a task.
Traffic Trend Report for Source HostProvides the average rate of traffic for the selected source
host.
Traffic DetailsProvides two lists for a source host table:
TopN Destination Hosts Communicating with the Source Host

The list displays the TopN destination host IP addresses, the volume of traffic sent and
received between this source and destination hosts, and the percentage of all traffic
observed for this source and destination hosts.
TopN Applications Communicating with the Source Host

The list displays the TopN applications, the volume of traffic attributed to the associated
application for the selected source host, and the percentage of the associated application
traffic observed for this source host.
The introduction to source host reports also applies to individual VLANs in VLAN traffic analysis
tasks.
Query sources
for source host, or time range to customize the charts and lists displayed.
icon
2.
in the query
3.

Enter one or more of the following query criteria:
Source HostEnter the IP address or address range in the Source Host field, using the
following examples.
10.153.89.10

10.153.89.0/255.255.255.0

10.153.89.0/24

a001:410:0:1::1
157
a001:410:0:1::1/64
time.
time.
4.
Click OK.

The TopN Traffic Report for Source Host bar chart displays the TopN source hosts with the most
inbound/outbound traffic for all VLANs in a certain period of time in a selected VLAN traffic
analysis task. Click a bar in the chart to view the traffic analysis report of each source host.
distribution of inbound or outbound traffic of the TopN source hosts for all VLANs in the selected
traffic analysis task or for a VLAN in a task for the selected time range. The slices of the pie chart
are links to traffic reports for the selected host.
Figure 77 Source Report: TopN Traffic Report for Source Host

The TopN Traffic List for Source Host provides a list of the TopN source hosts measured by volume
of inbound or outbound traffic observed on all VLANs in the selected traffic analysis task or for a
VLAN in a task for the selected time range. This list includes the source IP address, total volume of
traffic for the associated source, and the percentage of all observed traffic generated by the source.
The IP address is a link to reports for the selected source. The Host Query icon
next to the
Source IP address is a link for initiating a host query and a link to the results of the query.
158
VLAN monitoring
Figure 78 Source Report: TopN Traffic List for Source Host

selected source host. To view this line chart, click the slices of the TopN Traffic Report for Source
Host pie chart or click the IP address link of the TopN Traffic List for Source Host.
By default, the Traffic Trend Report for Source Host chart displays statistics for the last 1 hour.
chart.

Traffic details for source host

The Traffic Details For Source Host table provides two lists:
The TopN Destination Hosts Communicating with the Source Host displays the TopN destination
host IP addresses, the volume of traffic sent and received between this source and destination
hosts, and the percentage of all traffic observed for this source and destination hosts.
The TopN Applications Communicating with the Source Host displays the TopN applications,
the volume of traffic attributed to the associated application for the selected source host, and
the percentage of the associated application traffic observed for this source host.
159
Figure 80 Source Report: Traffic Details For Source Host
Destination reports
Destination reports provide rate and percentage distribution of traffic by destination host for all
VLANs configured in a VLAN traffic analysis task or for an individual VLAN in a task. Click the
Destination tab to view traffic reports.
Destination reports contain the following fields:
Query DestinationsSet the time range for the destination host reports.
TopN Traffic Report for Destination HostDisplays the distribution of traffic that generated by
the TopN destination hosts for all VLANs in the selected traffic analysis task or for a VLAN in
a task.
TopN Traffic List for Source HostProvides a list of the TopN destination hosts measured by
volume of traffic on all VLANs in the selected traffic analysis task or for a VLAN in a task.
Traffic Trend Report for Destination HostProvides the average rate of traffic for the selected
destination host.
Traffic DetailsFor a source host table, provides two lists:
TopN Source Hosts Communicating with the Destination Host

The list displays the TopN source host IP addresses, the volume of traffic sent and received
between this destination host and the sources, and the percentage of all traffic observed
for this destination host and the source hosts.
TopN Applications Communicating with the Destination Host

The list displays the TopN applications, the volume of traffic attributed to the associated
application for the selected destination host, and the percentage of the associated
application traffic observed for this destination host.
The introduction to destination host reports also applies to individual VLANs in VLAN traffic analysis
tasks.
Query destinations
settings for destination host, or time range to customize the charts and lists displayed.
icon
2.
in the query
160 VLAN monitoring
3.
Enter one or more of the following query criteria:
Destination HostEnter the IP address or address range in the Destination Host field,
using the following examples.
10.153.89.10

10.153.89.0/255.255.255.0

10.153.89.0/24

a001:410:0:1::1

a001:410:0:1::1/64
time.
time.
4.
Click OK.

The TopN Traffic Report for Destination Host pie chart displays the distribution of inbound or
outbound traffic for TopN destination hosts for all VLANs in the selected traffic analysis task for
the selected time range. Each slice of the pie chart is a link to traffic reports for the selected
destination host.
Figure 81 Destination Report: TopN Traffic Report for Destination Host

The TopN Traffic List for Destination Host provides a list of the TopN destination hosts measured
by volume of inbound or outbound traffic observed on all VLAN in the selected traffic analysis task
for the selected time range. This list includes the destination IP address, total volume of traffic
generated by the associated destination, and the percentage of all observed traffic generated by
the destination. The IP address is a link to reports for the selected destination host. The Host Query
icon
next to the Destination IP address is a link for initiating a destination host query and a
link to the results of the query.
161
Figure 82 Destination Report: TopN Traffic List for Destination Host

selected destination host. To view this line chart, click the slices of the TopN Traffic Report for
Destination Host pie chart or click the IP address link of the TopN Traffic List for Destination Host.
By default, the Traffic Trend Report for Destination Host chart displays statistics for the last 1 hour.
chart.

Traffic details for destination host
162
The Traffic Details For Destination Host table provides two lists: The TopN Source Hosts
Communicating with the Destination Host displays the TopN source host IP addresses, the
volume of traffic sent and received between this destination host and the sources, and the
percentage of all traffic observed for this destination host and the source hosts.
the volume of traffic attributed to the associated application for the selected destination host,
and the percentage of the associated application traffic observed for this destination host.
VLAN monitoring
Figure 84 Destination Report: Traffic Details For Destination Host
Session reports
A session is a unique source and destination host pair. Session reports provide rate and percentage
distribution of traffic for source and destination pairs for all VLANs configured in a VLAN traffic
analysis task or for an individual VLAN in a task. Click the Session tab to view traffic reports.
Session reports contain the follow fields:
Query SessionsSet the time range for the session host reports.
TopN Traffic Report for Session HostDisplays the distribution of the traffic that generated by
the TopN session hosts for all VLANs in the selected traffic analysis task or for a VLAN in a
task.
TopN Traffic List for Session HostProvides a list of the TopN session hosts measured by
volume of traffic on all VLANs in the selected traffic analysis task or for a VLAN in a task.
Session Host Traffic Trend ReportProvides the average rate of traffic for the source and
destination host pair.
TopN Applications for Session HostDisplays the TopN applications observed for the selected
session pair, the volume of traffic sent and received between this session pair, and the
percentage of all traffic observed for the session pair.
The introduction to session host reports also applies to individual VLANs in VLAN traffic analysis
tasks.
Query sessions
displayed.
icon
2.
3.
in the query
Source HostEnter the IP address or address range in the Source Host field, using the
following examples.
10.153.89.10
An example of a valid network or subnet mask in dotted decimal notation:

10.153.89.0/255.255.255.0
A valid network or subnet mask entry using CIDR notation:

10.153.89.0/24
Viewing VLAN traffic analysis reports 163

a001:410:0:1::1

a001:410:0:1::1/64
Destination HostEnter the IP address or address range in the Destination Host field.
time.
time.
4.
Click OK.

The TopN Traffic Report for Session Host pie chart displays the distribution of inbound or outbound
traffic for TopN source and destination session pairs for all VLANs in the selected traffic analysis
task or for a VLAN in a task for the selected time range. Each slice of the pie chart is a link to
traffic reports for the selected source and destination session pair.
Figure 85 Session Report: TopN Traffic Report for Session Host

The TopN Traffic List for Session Host provides a list of the TopN session source and destination
pairs measured by volume of inbound or outbound traffic observed on all VLANs in the selected
traffic analysis task for the selected time range. This list includes the source and destination IP
addresses, total volume of traffic generated by the source and destination session pair, and the
percentage of all observed traffic generated between the source and destination session pair. The
icon
in the Details field is a link to reports for the selected session or source and destination
pair. The Host Query icon

next to the Source Host and Destination Host IP address fields is a
164 VLAN monitoring
Figure 86 Session Report: TopN Traffic List for Session Host

and destination host pair. To view this line chart, click the slices of the TopN Traffic Report for
Destination Host pie chart or click the icon
Destination Host.
in the Details field of the TopN Traffic List for
By default, the Session Host Traffic Trend Report chart displays statistics for the last 1 hour.
chart.


165
6 Probe monitoring
This chapter provides information on network flow data reporting using data gathered by probe
servers, also called probes. This chapter explains how NTA analyzes network flow records from
probes to report on network traffic and looks at the reporting options for probe traffic analyses
This chapter also provides a survey of the summary reports for all probe tasks a look at the more
detailed reports for an individual probe traffic analysis task.
Probe traffic monitoring overview

In NTA, a probe is a probe server. A probe server is an application that runs on a dedicated
server. A probe server acts as a network flow generator that transmits network flow data to the
NTA server that acts as a flow collector. probe servers receive information forwarded to it from
network devices. NTA retrieves data from probe servers when the probe server is added to the
NTA server as a probe. Operators use probe servers when the devices in their network cannot
generate NetStream, NetFlow, or sFlow data.
After you add a probe server to an NTA server as a probe, and the probe is selected in the NTA
Server Management page, the NTA server is ready to begin processing data from the probe. Probe
traffic analysis tasks instruct NTA to begin processing probe server data based on the task
configuration.
Probe traffic analysis tasks analyze network flow data by the probes you specify in probe traffic
analysis tasks. NTA parses all network flow data and provide various statistical views of traffic
that was received by the probes configured in a probe traffic analysis task. For example, NTA
provides source and destination host information reporting by probe, displaying traffic attributed
to specific source or destination hosts that were observed sending or receiving traffic from the
locations on the network where probes were deployed.
In general, the NTA probe traffic analysis tasks provide traffic visibility for the locations on the
network where probes have been deployed. The probe reports include traffic for all probes in all
tasks, for all probes in each task, and for individual probes in a task. Probe statistics include traffic
statistics and statistics by application, source host, destination host, and a session or
source/destination host pair. These reports are organized into multiple layers from summarized
information for all tasks to detailed reporting for specific probes configured for an individual probe
Probe traffic analysis reporting overview

After you create the first probe traffic analysis task, NTA creates a
Probe Traffic Analysis Task
entry under the Traffic Analysis and Audit section on the left navigation tree.
Click Probe Traffic Analysis Task on the left navigation tree to view the summary report for all probe
to the right of Probe Traffic Analysis
Task. The Probe Traffic Analysis Task shortcut menu appears to display all probe traffic analysis
tasks created in NTA. Click the name link for a task to view the probe traffic analysis report of the
task.
The summary probe traffic analysis report includes the following contents:
reporting for all probe traffic analysis tasks summarized by task. Each bar in the graph a link
to more detailed reporting for the selected task including reporting for traffic rates, application,
166 Probe monitoring
source, destination, and session statistics. Each of these detailed report types also include
several reports for the selected task including:
TrafficReports include traffic trends that display the average rate within 1 minute and
the individual data samples for the selected task.
ApplicationReports include a table that displays the percentage of application traffic

generated by the probe in a task, and a graph that displays the average rate of
application traffic for the probe in the task.
SourceReports include a pie chart the TopN source hosts and a list displaying the TopN
source hosts in the selected task. The contents of the chart link to more detailed reporting
for the selected host.
DestinationReports include a pie chart the TopN destination hosts and a list displaying
the TopN destination hosts for the selected task. The contents of the chart link to more
detailed reporting for the selected host.
SessionReports include a chart the TopN source and destination pairs and a list
displaying the TopN sessions for the selected task. The contents of the chart link to more
Traffic Trend and TopN Application for Selected Task (Last 1 Hour)This set of line charts
provides traffic summarized by probe traffic analysis task for traffic for all probes for all tasks.
A second set of pie charts reveals the distribution of traffic for the TopN applications.
Summary List (Last 1 Hour)Provides traffic statistics summarized by probe traffic analysis
task for all tasks.
Probe traffic analysis configuration considerations

There are several things to consider when you add a probe to a task. The following list provides
considerations:
By default, NTA does not report on any data received by probes. Therefore, you must create
a task for every probe or group of probes that you want to monitor and report on.
You can add only one probe a single task. However, a probe can only belong to one task.
Add only those probes that you want to view statistics for. Do not add all of the probes unless
you want to view reporting for all probes
When you add probes to a task, NTA displays a list of all probes that NTA knows about. This
list is generated from the probes that have been added to NTA using the Probe Management
feature. If the probes you want to add do not appear on this list, and if they are not already
included in another traffic analysis task, it is most likely because the probe has not been added
to NTA or it has not been selected in the NTA server configuration found under Server
Management. For more information on selecting probes in NTA server management, see
Modifying an NTA server configuration.
If you do not add a probe to a task, NTA does not report on the task.
Managing probe traffic analysis tasks

create. Until a task is created, NTA does not analyze the data that probes forward to it or that it
is configured to receive. This section provides the process for adding, modifying, or removing
probe traffic analysis tasks in NTA.

167
To view the traffic analysis task list:

and Audit page. NTA displays all tasks in the Traffic Analysis Task List displayed in the main
pane of the Task Management page.
Task list contents
Task NameThe name of the task.

The contents of this field link to the Task Details page for the associated task.
Task DescriptionThe description for the associated task.
Task TypeThe task type. Options are:
Interface
VLAN
Probe
Application
Host
VPN
Inter-business
Baseline AnalysisDisplays when the Baseline Analysis feature is enabled in the NAT
parameters.
The Baseline Analysis feature provides an additional layer of analysis to NTA reports by
including baseline trend data when data has been collected for a minimum of one week
3.
to the Modify page for the associated task.

To query NTA for the most current Traffic Analysis Task List, click the Refresh button located
in the upper left corner of the Traffic Analysis Task List.
NOTE: You can sort the Traffic Analysis Task List by the Name, Task Description, Task Type, and
Baseline Analysis fields. Click the column label to sort the list by the selected field. The column
label allows you to toggle between the sort options specific to each field.
Viewing probe traffic analysis task details

To view the details for a probe traffic analysis task:
and Audit page.
page.
3.
To view the details for an individual task, click the contents in the Task Name field of the Traffic
Analysis Task List whose Task Type is Probe.
Traffic analysis task details
4.
Task TypeIdentifies the task type. Options are:
interface
VLAN
probe
application
host
VPN
inter-business
Baseline AnalysisIndicates whether the Baseline Analysis feature is enabled for the task.
If the Baseline Analysis field is not displayed, the Baseline Analysis feature is disabled in
the NTA parameters. For more information on configuration options for the NTA
parameters, including the Baseline Analysis feature, see Configuring NTA traffic analysis
parameters.
Probe InformationLists the name, IP address, and description for the probe providing
traffic for this traffic analysis task.
Adding a probe traffic analysis task

To add a probe traffic analysis task:
and Audit page.
page.
3.
Click Add.
4.
5.
To add a probe traffic analysis task, click the option next to Probe in the Select Task Type
section.
Click Next.
6.
Enter a name for this task in the Task Name field. The task name must be unique.
NOTE: The name you assign to a task is the link to the task reports. Therefore, assign
descriptive and meaningful names to a task that help you navigate to reports quickly and
easily.
7.
8.

169
9.
To select the operator groups that have access to the analysis and reports provided by this
probe task, click the Select button next to the Reader field.
The Operator Group List dialog box is displayed.
10. From the Operator Group List, select the checkbox next to the operator group Name for every
operator group you want to grant access to. To select all operator groups, select the checkbox
in the upper left corner of the column label field for all boxes.
11. To accept the operator group selection, click OK.
The selected operator groups are displayed in the Reader field.
12. To enable the Baseline Analysis feature for the reports generated by this task, select Enable
from the Baseline Analysis list.
If you select Enable, the baseline analysis trendline is displayed on graphs that support this
feature approximately seven days after the creation of the task. Initially the baseline trendline
displays statistics based on the first weeks collection and is adjusted over time as more data
is collected.
To disable the Baseline Analysis feature, select Disable.
If the Baseline Analysis list is not displayed, the Baseline Analysis feature is disabled in the
13. To select the probe that provides network flow data, select the option in the Select field next
to the probe name you want to add in the Probe Information list.
14. To create the probe traffic analysis task, click OK.
After you create a probe traffic analysis task, NTA creates a
Probe Traffic Analysis Task entry
on the left navigation tree. Click the entry to view the summary report for the probe traffic analysis
tasks.
to the right of
Probe Traffic Analysis
Task. The Probe Traffic Analysis Task shortcut menu appears to display all probe traffic analysis
tasks created in NTA. Click the name link for a task to view the probe traffic analysis report of the
task.
For more information on accessing and viewing probe traffic analysis reports, see Viewing probe
Modifying a probe traffic analysis task

To modify a probe traffic analysis task:
Management link.
page.
3.
associated with the probe traffic analysis task you want to modify.
The Modify Traffic Analysis Task page is displayed.

4.
5.
6.
Modify the description for this task in the Task Description field.
From the Server list, select the NTA NetStream, NetFlow, or sFlow collection server.
170
Probe monitoring
7.
probe task, click the Select button next to the Reader field.
8.
9.
From the Operator Group List, select the checkbox next to the operator group Name for every
operator group you want to grant access to. To select all operator groups, select the checkbox
in the upper right corner of the column label field for all boxes.
To accept the new additions to operator group, click OK.
10. To revoke operator group access to the results of this probe traffic analysis task, highlight the
groups you want to remove in the Reader field.
11. Click Delete.
12. To confirm the deletion of the selected operator groups from the task, click OK.
13. To enable the Baseline Analysis feature for the reports generated by this task, select Enable
from the Baseline Analysis list.
If you select Enable from this list, the baseline analysis trendline is displayed on graphs that
support this feature approximately seven days after the creation of the task. Initially the baseline
To disable the Baseline Analysis feature, select Disable.
If the Baseline Analysis list is not displayed, the Baseline Analysis feature is disabled in the
14. To change the probe that you want to use for this task, select the option in the Select field next
to the probe name you want to add in the Probe Information list.
15. To accept your modifications the probe traffic analysis task, click OK.
Deleting a probe traffic analysis task

To delete a probe traffic analysis task:
Management link.
Management page.
3.
4.

associated with the probe traffic analysis task you want to delete.
To confirm the deletion of the selected probe traffic analysis task, click OK.
The Traffic Analysis Task List is updated to reflect the removal of the deleted task.
Viewing probe traffic analysis reports

summarized reporting for all tasks of the same type whether the task type is interface, VLAN,
application, probe, host, VPN, or inter-business. These reports are accessed by clicking the highest
level entry of the left navigation tree under the Traffic Analysis and Audit section. To view
summarized reporting for all probe tasks, click the
Probe Traffic Analysis Task entry of the left
navigation tree.
NTA also provides detailed reporting for individual tasks. NTA groups individual tasks by type.
All probe tasks can be found on the Probe Traffic Analysis Task menu.
171
To view the Probe Traffic Analysis Task shortcut menu, move your mouse pointer to the shortcut
menu icon
to the right of
Probe Traffic Analysis Task. The shortcut menu displays all probe
traffic analysis tasks created in NTA. Click the name link for a task to view the probe traffic analysis
report of the task.
This section explores the reporting options available for probe traffic analysis tasks, including a
review of process for navigating to probe traffic analysis tasks, a review of the summary reports
available for probe tasks, and a review of the reports and features available for an individual
probe traffic analysis task.
Navigating to the probe traffic analysis reports

To navigate to probe traffic reports:
2.
3.
To view summary reporting for all probe tasks, click the

Probe Traffic Analysis Task entry
in the Traffic Analysis and Audit area of the left navigation tree.
To view summary reporting for an individual task, move your mouse pointer to the shortcut
menu icon
to the right of
Probe Traffic Analysis Task.
The Probe Traffic Analysis Task shortcut menu appears to display all probe traffic analysis
tasks created in NTA. Click the name link for a task to view the probe traffic analysis report
of an individual task.
Summary reports for all probe tasks

are accessed by clicking the Probe Traffic Analysis Task entry of the left navigation tree under
the Traffic Analysis and Audit section. In addition, these reports provide navigation aids to the
reports for an individual task. This section reviews the summarized reports and the features found
in them.

The Average Rate bar graph summarizes the average rate of traffic for all probe tasks. You can
access this graph by clicking the
Probe Traffic Analysis Task entry on the left navigation tree.
The bars in the graph link to the reports for the selected probe task.
You can access this graph by clicking the
tree.
Probe Traffic Analysis Task entry of the left navigation
The Traffic Trend for Selected Task line chart displays the average traffic rate per second for the
selected probe task. The TopN Application for Selected Task pie chart displays the distribution of
traffic for the selected probe task. These charts are located in the middle of the page.
172
Probe monitoring
Figure 90 Summary Report: TopN Application by Selected Task
By default, this chart contains no data. To populate this chart with data, you must first select a
probe task.
1. To select a task, click the Select Task link located in the upper right corner of the Traffic Trend
and TopN Application for Selected Task title bar.
2. The Choose NTA Task dialog box is displayed. Click the box next to the probe task you want
to view this report for.
3. Click OK.
The page displays the Traffic Trend and TopN Application for Selected Task reports for the selected
task.

The Summary List provides the total volume of traffic and traffic rates summarized by probe task
for the last hour.
Task NameThe name of the probe traffic analysis task.

The contents of this field link to reports for associated tasks.
TrafficThe total volume of traffic in the last hour for the associated probe.
RateThe rate of traffic in the last hour for the associated probe.
Traffic Log AuditThe Traffic Log Audit icon
is a shortcut to the Traffic Log Audit page.
For more information on the NTA traffic log auditing feature, see Performing traffic log audits
in NTA.
1.
The Add button at the top of the Summary List is a shortcut to the Add Probe Traffic Analysis
Task page.
For more information on adding probe traffic analysis tasks, see Adding a probe traffic
analysis task.
2.
Detailed reports for a probe traffic analysis task

In addition to summary reporting for all tasks, NTA provides a suite of reports for viewing more
detailed probe data from different perspectives. Detailed reports for probes are organized into
five reporting groups:
Traffic reportsProvide overall traffic statistics for the selected time range for probe tasks.
Application reports Provide rate of traffic statistics by application with details for an individual
application.
173
Source reports Provide rate and percentage distribution of traffic by source host for the task
for the selected time range.
Destination reports Provide rate and percentage distribution of traffic by destination host
the task for the selected time range.
Session reports Display the rate and percentage distribution of traffic on source and
destination pairs for the selected time range.
Source, destination, and session reports allow you to access more detailed data.
Traffic reports
Traffic reports for probe tasks provide statistics for the probe traffic analysis task. The Traffic Trend
chart that displays average traffic rate, and minimum average, maximum average, and average
traffic rate statistics in a table for the associated task. The Traffic Details list provides individual
data collection samples: timestamp, total volume of traffic, and traffic rate in seconds. You can
filter reports by time range.
To view the reports for a probe task, click the Traffic tab to view traffic reports for the selected
Query traffic
NTA enables you to change the filter criteria for probe reports. You can change the default settings
for the time range for the graphs and tables to customize the reports displayed under the Traffic
tab.
icon
2.
in the query
Click OK.
174
Probe monitoring
end time.
b.
3.
To view reports using the IMC Intelligent Analysis Report Viewer and to print or export all
reports, click the Export button.
a.
b.
c.

In Page Range, select the page range.
d.
e.

on the toolbar.
f.
g.
Adobe Acrobat (PDF)
on the toolbar.
In Page Range, select the page range.

Click Export.
Traffic trend - average

The Traffic Trend line chart displays the average traffic rate for the selected time range. This chart
provides total, minimum average, maximum average, and average traffic rate statistics in a table
for traffic for the associated task for the selected time range.
Traffic trend - peak rate

the associated task for the selected time range. This chart contains two lines. The red line displays
the maximum peak rate. The green line displays the MIN peak rate.
175
Figure 92 Traffic Report: Traffic Trend Peak Rate Report
For more information on enabling Peak Traffic Analysis, see Configuring NTA traffic analysis
parameters.
Traffic details
time range. This report includes timestamp, total volume of traffic and traffic rate in seconds.
Application reports
Application reports provide rate of traffic statistics by application, by protocol, and by application
category for a task, with details for an individual application. Application reports for a probe
traffic analysis task include the Application List, which provides a list of applications captured by
the probe in the selected probe traffic analysis task. This report also provides additional reports
for the selected application. The Application Traffic Trend stacked area chart displays average
traffic rates for all applications captured by the probe in the selected traffic analysis task.
Protocol reports for a probe traffic analysis task include the Protocol List, which provides a list of
protocols captured by the probe in the selected probe traffic analysis task. This report also links
to additional reports for the selected protocol. The Protocol Traffic Trend stacked area chart provides
average traffic rates for all protocols captured by the probe in the selected traffic analysis task.
Application category reports for a probe traffic analysis task include the Application Category List,
which provides a list of the application categories captured by the probe in the selected probe
traffic analysis task. This report also provides additional reports for the selected application category.
The Application Category Traffic Trend stacked area chart provides average traffic rates for all
application categories captured by the probe in the selected traffic analysis task.
NTA provides a query option for filtering reports based on criteria you define. To view the reports
for a probe task, click the Application tab to view application reports for the selected probe traffic
analysis task, and set Query Type to Application as described in Query applications.
176
Probe monitoring
information on applications in NTA, see Managing applications. In this section we will explore
Query applications
settings for query type, application, or time range for the graphs and tables to customize the reports
listed on the Application tab.
1.
2.
The page displays the report for Layer 4 through Layer 7 applications.
3.
ApplicationTo select the application you want to search for, click the Select button
located to the right of the Application field.
The Query Applications dialog box is displayed and an empty Application List is displayed
in the lower portion of the dialog box. To select the applications you want to search for,
you must first query the Application List. To do so:
a.
the dialog box:
ApplicationTo search for applications, enter a partial or complete name in the

Application field.
Pre-definedTo search for predefined applications, select Yes in the Pre-defined

list.
To filter for user-defined applications, select No.
b.
c.
d.
e.
Click Query to begin your search. The results of your query are displayed in the Application
List displayed below the Query Applications section.
Click the boxes next to the applications you want to search for.
Click OK to add the applications to the filter. The applications you selected are displayed
in the Application field.
Click the Clear button located to the right of the Application field to clear all selected
applications.
time.
time.
Viewing probe traffic analysis reports 177
4.
Click OK.
5.
Click the Export button to view reports using IMC Intelligent Analysis Report Viewer and to
print or export all reports found on this page.
a.
b.
c.

on the toolbar.
d.
e.

on the toolbar.
f.
g.
Adobe Acrobat (PDF)

Click Export.
Application list
The Application List provides a list of the applications observed for the selected probe traffic analysis
task during the selected time range. This list displays the application name, a link for viewing the
ports for all unknown applications, total volume of traffic for the associated application, rate of
traffic, and the percentage of traffic on all probes generated by the associated application. The
application name in the Application field is a link to reports for the selected application.
To view this report for an individual application, click the name link for the application. For more
information about the individual application reports, see Individual application reports.
The Application Traffic Trend stacked area chart provides average traffic for all applications
observed for the selected traffic analysis task for the selected time range.
178
Probe monitoring
Figure 95 Application Report: Application Traffic Trend

NTA provides traffic trend statistics for the individual applications that were captured by the probe
for a selected task. The Traffic Trend report displays the average rate of traffic for the selected
application. The TopN Application Usage List for Source and Destination Hosts identifies the source
and destination hosts that contributed the greatest volume of traffic for the selected application.
Also included are reports for unknown TCP and UDP applications. Unknown applications are those
applications for which the layer 4 TCP or UDP port number has not been assigned a name and is
not included as an application in NTA. For more information on assigning names to TCP or UDP
ports and adding them as applications to NTA, see Managing applications.
To view individual application reports for a probe task, click the name in the Application field of
the Application List report for the application for which you want to view this report.
To view unknown application reports for a probe task, click the icon
in the Application field of
the Application List report for the application for which you want to view this report.
for the probe in the selected traffic analysis task.
chart.
Figure 96 Application Traffic Trend for an individual application

The TopN Application Usage List includes the Source Host List and the Destination Host List.
179
The Source Host List provides a list of the TopN source hosts measured by the volume of traffic in
the selected probe traffic analysis task for the selected time range. This list includes the source host
IP address, total volume of traffic for the associated source, and the percentage of all observed
traffic generated by the source. The host query icon
next to the Source Host IP Address is a
The Destination Host List provides you with a list of the TopN destination hosts measured by volume
of traffic captured by the probe in the selected probe traffic analysis task for the selected time
range. This list includes the destination IP address, total volume of traffic for the associated
destination, and the percentage of all observed traffic generated by the destination. The host query
icon
next to the Destination Host IP Address serves as a link for initiating a host query as well
as a link for navigating to the results of the query.
Figure 97 Application Report: TopN Application Usage List
TopN traffic report for unknown TCP/UDP applications by port

The TopN Traffic Report for Unknown TCP/UDP Applications by Port provides the distribution of
application captured by the probe in the selected traffic analysis task for the selected time range.
NTA enables you to change how the traffic is grouped. To group by port, select Port from the
Group By list in the upper right corner of the TopN Traffic Report for Unknown TCP/UDP Applications
by Port section of the page.
To group by source host, select Source Host in the Group By list.
To group by destination host, select Destination Host in the Group By list.
Figure 98 Application Report: TopN Traffic Report for Unknown TCP/UDP Applications by Port
TopN traffic list for unknown TCP/UDP applications by port

The TopN Traffic List for Unknown TCP/UDP Applications by Port provides a list of the TopN
unknown TCP or UDP applications measured by volume and rate of traffic captured by the probe
in the selected probe traffic analysis task for the selected time range. This list includes the TCP or
UDP port number, total volume of traffic for the associated port, rate of traffic, and the percentage
of all observed traffic generated by the port. The port number is a link to individual reports for the
selected port. The icon
in the Define Application field is a link for adding the selected port as
a layer 4 application to NTA. For more information on managing applications in NTA, see
Figure 99 Application Report: TopN Traffic List for Unknown TCP/UDP Applications by Port
TopN traffic list for unknown TCP/UDP applications by source host

The TopN Traffic List for Unknown TCP/UDP Applications by Source Host provides a list of the TopN
unknown TCP or UDP applications measured by volume and rate of traffic captured by the probe
in the selected probe traffic analysis task for the selected time range. This list includes the source
host IP address, total volume of traffic for the associated source, rate of traffic, and the percentage
of all observed traffic generated by the source. The host query icon
a link for initiating a host query and a link to the results of the query.
next to the Source Host is
Figure 100 Application Report: TopN Traffic List for Unknown TCP/UDP Applications by Source
Host
TopN traffic list for unknown TCP/UDP applications by destination host

The TopN Traffic List for Unknown TCP/UDP Applications by Destination Host provides a list of the
TopN unknown TCP or UDP applications, measured by volume and rate of traffic captured by the
probe in the selected probe traffic analysis task for the selected time range. This list includes the
destination host IP address, total volume of traffic for the associated destination, rate of traffic, and
181
the percentage of all observed traffic generated by the destination. The host query icon
next
to the Destination Host is a link for initiating a host query and a link to the results of the query.
Figure 101 Application Report: TopN Traffic List for Unknown TCP/UDP Applications by Destination
Host

To view this report for an probe task, click the link in the Port field of the TopN Traffic List for
Unknown TP/UDP Applications by Port for the unknown TCP or UDP application you want to view
this report for.
The Traffic Trend graph provides the average rate for an individual unknown application captured
by the probe in the selected traffic analysis task.
Figure 102 Application Report: Traffic Trend Report for Unknown TCP/UDP Applications by Port
TopN traffic details for unknown TCP/UDP applications by port

To view this report for an probe task, click the link in the Port field of the TopN Traffic List for
Unknown TCP/UDP Applications by Port for the unknown TCP or UDP application you want to view
this report for.
The TopN Traffic Details for Unknown TCP/UDP Applications by Port displays the TopN source and
destination host pairs, the volume of traffic sent and received between this source host and the
destination, the rate of traffic observed between the pair, and the percentage of all traffic observed
for this source host.
Figure 103 Application Report: TopN Traffic Details for Unknown Applications by Port
182
Probe monitoring
Protocol Reports
Protocol reports display traffic rate trend reports organized by the list of predefined and user-defined
protocols in NTA. Protocol reports for a probe traffic analysis task include the Protocol List, which
provides a list of protocols captured by the probe in the selected probe traffic analysis task. This
report also provides drilldown capabilities for additional reports for the selected protocol. The
Protocol Traffic Trend stacked area chart displays average traffic rates for all protocols captured
by the probe in the selected traffic analysis task. Protocol reports also include traffic lists and trend
reports for individual protocols.
As with all of the report types for a probe task, NTA also provides you with a query option for
filtering reports based on criteria you define. To view the reports for a probe task, click the
Application tab to view application reports for the selected probe traffic analysis task, and set
Query Type to Protocol as described in "Query protocols." For more information on protocols in
NTA, see Managing protocols. This section explores the reports available for protocols.
Query protocols
To view reports by protocol, you must configure the filter criteria for application reports. You can
change the default settings for query type, protocol, or time range for the graphs and tables to
customize the reports displayed on the Application tab.
1.
2.
3.
Select Protocol from the Query Type list. The page displays the report for protocols.
ProtocolTo select the protocol you want to search for, click the Select button next to the
Protocol field.
The Query Protocols dialog box displays an empty Protocol List.
so, perform the following steps:
a.
dialog box:
Pre-definedTo search for protocols that are predefined, select Yes in the Pre-defined
list.
To filter for protocols that are user-defined, select No.
To include system or predefined and user-defined protocols, select Not limited.
b.
c.
List displayed below the Query Protocols section.
Select the checkboxes next to the protocols for which you want to search.
d.
e.
Click OK to add the protocols to the filter.

The protocols you selected are displayed in the Protocol field.
Click the Clear button to the right of the Protocol field to clear all selected protocols.
time.
time.
Additionally, to set the start time and end time for the protocol report, you can click the
query criteria icon
to set the time range for the traffic report for protocols.
4.
Click OK.
5.
to print or export all reports on this page.
a.
b.
c.

Select the page range in Page Range.
d.
e.

on the toolbar.
f.
g.
Adobe Acrobat (PDF)
on the toolbar.

Click Export.
Protocol list
The Protocol List provides a list of the protocols captured by the probe in the selected probe traffic
analysis task for the selected time range. This list includes the protocol name, total volume of traffic
for the associated protocol, rate of traffic, and the percentage of traffic on the probe generated
by the associated protocol. The protocol name in the Protocol field is a link to reports for the selected
protocol.

The Protocol Traffic Trend stacked area chart displays average traffic rates for all protocols captured
by the probe in the selected traffic analysis task for the selected time range.
Figure 105 Application Report: Protocol Traffic Trend

NTA provides traffic trend statistics for the individual protocols that were captured by the probe
for a selected task. Individual protocol reports include the Protocol Traffic Trend report that displays
the average rate of traffic for the selected protocol. Individual protocol reports also include the
TopN Protocol Usage List source and destination hosts list that identifies which source and destination
hosts contributed the greatest volume of traffic for the selected protocol.
To view individual protocol reports for a probe task, click the name in the Protocol field of the
Protocol List report for the protocol for which you want to view this report. For more information
about Protocol List, see "Protocol list."
The Protocol Traffic Trend graph provides the average rate for an individual protocol captured by
the probe in the selected traffic analysis task.
chart.
Figure 106 Application Report: Traffic Trend Report for an Individual Protocol

The TopN Protocol Usage List includes Source Host List and the Destination Host List.
The TopN Protocol Usage List - Source Host List displays a list of the TopN source hosts, measured
by volume of traffic captured by the probe in the selected probe traffic analysis task for the selected
time range. This list includes the source host IP address, total volume of traffic for the associated
source, and the percentage of all observed traffic generated by the source. The host query icon
next to the Source Host IP Address is a link for initiating a host query and a link to the results
of the query.
The TopN Protocol Usage List - Destination Host List displays a list of the TopN destination hosts,
measured by volume of traffic captured by the probe in the selected probe traffic analysis task for
the selected time range. This list includes the destination IP address, total volume of traffic for the
associated destination, and the percentage of all observed traffic generated by the destination.
The host query icon
next to the Destination Host IP Address is a link for initiating a host query
and a link to the results of the query.
Figure 107 Application Report: TopN Protocol Usage List

Application category reports display traffic rate trend reports organized by the NTA application
categories. Application category reports for a probe traffic analysis task include the Application
Category List, which provides a list of the application categories captured by the probe in the
selected probe traffic analysis task. This list includes total volume of traffic for the associated
application categories, rate of traffic, and the percentage of all observed traffic captured by the
probe generated by the associated application category. This report also provides access to
additional reports for the selected application category. The Application Category Traffic Trend
stacked area chart provides average traffic rates for all applications captured by the probe in the
selected traffic analysis task. Application category reports also include traffic lists and trend reports
for the individual application categories.
As with all of the report types for a probe task, NTA also provides you with a query option for
filtering reports based on criteria you define. To view the reports for a probe task, click the
Application tab to view application reports for the selected probe traffic analysis task, and set
Query Type to Application Category as described in "Query application categories."
NTA provides system-defined application categories and supports user-defined application
categories. For more information on application categories in NTA, see Managing application
categories. This section explores the reports available for application categories.
category reports.
NTA enables you to change the filter criteria for application category reports. You can change the
default settings for query type, application category, or time range for the graphs and tables to
customize the reports.
1.
2.
Select Application Category from the Query Type list. The page displays the report for
3.
the Select button next to the Application Category field.
The Query Application Categories dialog box displays an empty Application Category
List.
To select the application categories you want to search for, you must first query the
Application Category List. To do so:
a.
In the Query Application Categories section, enter one or more of the following search
criteria:

you want to search for.
Pre-definedTo search for application categories that are predefined, select Yes in
the Pre-defined list.
To filter for application categories that are user-defined, select No.
To include system or predefined and user-defined application categories, select Not
limited.
b.

The results of your query are displayed in the Application Category List below the Query
Application Categories section.
criteria.
c.
Select the checkboxes next to the application categories for which you want to search.
187
d.
Click OK to add the application categories to the filter.

The application categories are displayed in the Application Category field.
Click the Clear button to the right of the Application Category field to clear all selected
end time.
Additionally, to set the start time and end time for the application category report,
you can click the query criteria icon
in the upper right corner of the application
category report. On the list that appears, select Last 1 hour, Last 3 hours, Last 12
hours, Last 24 hours, Last 7 days, Last 30 days, Last 3 months, or Custom. Click the
Query icon
in the query criteria area to set the time range for the traffic report
for application categories.
4.
Click OK.
5.
Click the Export button to view reports using IMC Intelligent Analysis Report Viewer and to
print or export all reports found on this page.
a.
b.
c.

on the toolbar.
Select the page range from Page Range.
d.
e.

on the toolbar.
f.
g.
Adobe Acrobat (PDF)
Select the desired page rang from Page Range.

Click Export.

The Application Category List provides a list of the application categories captured by the probe
in the selected probe traffic analysis task for the selected time range. This list includes the application
category name, total volume of traffic for the associated application category, rate of traffic, and
the percentage of traffic on the probe generated by the associated application category. The
application category name in the Application Category field is a link to reports for the selected
application category.
The Application Category Traffic Trend stacked area chart provides average traffic rates for all
application categories captured by the probe in the selected traffic analysis task for the selected
time range.
Figure 109 Application Report: Application Category Traffic Trend

NTA provides traffic trend statistics for the individual application categories that are captured by
the probe for a selected task. Individual application category reports include the Application
Category Traffic Trend report and the TopN Application Category Usage List.
To view application category reports for a probe task, click the name in the Application Category
field of the Application Category List report for the application category for which you want to view
this report. For more information about Application Category List, see "Application category list."
The Application Category Traffic Trend graph displays the average rate for an individual application
category captured by the probe in the selected traffic analysis task. By default, this graph displays
chart.
To return to the main Application Category report page, click Back.
Figure 110 Application Report: Traffic Trend Report for an Individual Application Category

The TopN Application Category Usage List includes the Source Host List and the Destination Host
List.
The TopN Application Category Usage List Source Host List provides a list of the TopN source
hosts measured by volume of traffic captured by the probe in the selected probe traffic analysis
task for the selected time range. This list includes the source host IP address, total volume of traffic
for the associated source, and the percentage of all observed traffic generated by the source. The
host query icon
next to the Source Host IP Address is a link for initiating a host query and a
The Destination Host List provides a list of the TopN destination hosts measured by volume of traffic
captured by the probe in the selected probe traffic analysis task for the selected time range. This
list includes the destination IP address, total volume of traffic for the associated destination, and
next
to the Destination Host IP Address is a link for initiating a host query and a link to the results of the
query.
Figure 111 Application Report: TopN Application Usage List - Destination Host List
Source reports
Source reports include the TopN Traffic Report for Source Host chart that provides the distribution
of traffic for the TopN source hosts for the selected traffic analysis task. This report also contains
a link to traffic reports for the selected source host. Source reports also include the TopN Traffic
List for Source Host, which provides a list of the TopN source hosts measured by volume of traffic
for the selected task. This report also contains a link to reports for the selected source host. The
query icon
next to the Source IP address is a link for initiating a host query and a link to the
results of the query. NTA also provides a query option for filtering reports based on criteria you
define.
To view the reports for a probe task, Click the Source tab to view traffic reports for the selected
Query sources
1.
In the query criteria area in the upper right corner of the source report, click the query criteria
icon
2.
in the query
3.

Enter or select one or more of the following search criteria:
Source HostEnter the IP address or address range in the Source Host field. To enter the
IP address for a single host, enter the IP address using dotted decimal notation.
10.153.89.10

10.153.89.0/255.255.255.0
A valid network or subnet mask entry using CIDR notation:

10.153.89.0/24

a001:410:0:1::1

a001:410:0:1::1/64
time.
time.
4.
Click OK.
191
5.
reports, click the Export button.
a.
b.
c.

d.
e.

on the toolbar.
f.
g.
Adobe Acrobat (PDF)
on the toolbar.

Click Export.

inbound/outbound traffic in a certain period of time in a selected probe traffic analysis task. Click
a bar in the chart to view the traffic analysis report of each source host.
to change the bar chart to a pie chart. The pie chart displays the traffic
distribution of the TopN source hosts in the selected traffic analysis task for the selected time range.
Each slice of the pie chart serves as a link for navigating to traffic reports for the selected source
host.

of traffic for the selected probe traffic analysis task for the selected time range. This list includes
the source host IP address, total volume of traffic for the associated source, and the percentage of
all observed traffic generated by the source. The IP address is a link to reports for the selected
source host. The probe query icon
next to the Source IP address is a link for initiating a host
query and a link to the results of the query.
Figure 113 Source Report: TopN Traffic List for Source Host

To view this report for a probe task, click the bar of the bar chart on the TopN Traffic Report for
Source Host report for the source host you want to view statistics for. Or, click the IP address for
the source host you want to view statistics for from the TopN Traffic List for Source Host list.
The Traffic Trend Report for Source Host line chart displays the average rate of traffic for the selected
source host. By default, the Traffic Trend Report for Source Host chart displays statistics for the
previous hour.
chart.
To return to the main Source host report page, click Back.
Traffic details
Source Host report for the source host you want to view statistics for. Or, click the IP address for
the source host you want to view statistics for from the TopN Traffic List for Source Host list.
The Traffic Details for a source host table provides two lists. The TopN Destination Hosts
of traffic sent and received between the source and destination hosts, and the percentage of all
traffic observed for the source and destination hosts.
193
Figure 115 Source Report: Traffic Details
Destination reports
The TopN Traffic Report for Destination Host chart provides the distribution of traffic for the TopN
destination hosts for the selected traffic analysis task. This report also contains a link to traffic
reports for the selected destination host.
by volume of traffic for the selected task. This report contains a link to reports for the selected
destination host. The host query icon
next to the Destination IP address is a link for initiating a
host query and a link to the results of the query. NTA also provides a query option for filtering
To view the reports for a probe task, click the Destination tab to view traffic reports for the selected
Query destinations
settings for the destination host or time range to customize the charts and lists displayed on the
Destination tab.
criteria icon
2.
in
To customize the time range for the destination report, select Custom from the list that appears
3.

Destination Host Enter the IP address or address range in the Destination Host field. To
enter the IP address for a single host, enter the IP address using dotted decimal notation.
10.153.89.10

10.153.89.0/255.255.255.0

10.153.89.0/24

a001:410:0:1::1
194
Probe monitoring
a001:410:0:1::1/64
time.
time.
4.
Click OK.
5.
reports found on this page, click the Export button.
a.
b.
c.

on the toolbar.
d.
e.

on the toolbar.
f.
g.
Adobe Acrobat (PDF)

Click Export.

The TopN Traffic Report for Destination Host bar chart displays the TopN destination hosts with the
most inbound/outbound traffic in a certain period of time in a selected probe traffic analysis task.
Click the bars in the chart to view the traffic analysis report of each destination host.
distribution of the TopN destination hosts in the selected traffic analysis task for the selected time
range.

by volume of traffic for the selected probe traffic analysis task for the selected time range. This list
includes the destination host IP address, total volume of traffic for the associated destination, and
the percentage of all observed traffic generated by the destination. The IP address is a link to
reports for the selected destination. The host query icon
next to the Destination IP address is a

To view this report for a probe task, click the slice of the pie chart on the TopN Traffic Report for
Destination Host report for the destination host you want to view statistics for. Or, click the IP
address for the destination host you want to view statistics for from the TopN Traffic List for
Destination Host list.
chart.
To return to the main Destination host report page, click Back.
Traffic details
Destination Host report for the destination host you want to view statistics for. Or, click the IP
196
Probe monitoring
The Traffic Details for a destination host table provides two lists. The TopN Source Hosts
of traffic sent and received between this destination host and the source hosts, and the percentage
of all traffic observed for this destination host and the source hosts.
Figure 119 Destination Report: Traffic details
Session reports
A session is a unique source and destination pair. Session reports include the TopN Traffic Report
for Session Host chart that provides the distribution of traffic for the TopN session pairs for the
selected traffic analysis task for the selected time range. This report also contains a link to traffic
reports for the selected host. Session reports also include the TopN Traffic List for Session Host that
provides a list of the TopN session pairs measured by volume of traffic observed for the selected
probe traffic analysis task. This report also contains a link to reports for the selected session host.
The host query icon
next to the Session IP address is a link for initiating a probe query and a
link to the results of the query. As with all of the report types for a probe task, NTA also provides
To view the reports for a probe task, click the Session tab to view traffic reports for the selected
Query sessions
for source or destination pair information, or change the time range to customize the charts and
lists displayed under the Session tab.
icon
2.
in the query
197
3.
10.153.89.10

10.153.89.0/255.255.255.0

10.153.89.0/24

a001:410:0:1::1

a001:410:0:1::1/64
time.
time.
4.
Click OK.
5.
reports found on this page, click the Export button.
a.
b.
c.

on the toolbar.
d.
e.

on the toolbar.
f.
g.
Adobe Acrobat (PDF)

Click Export.

The TopN Traffic Report for Session Host chart displays the distribution of traffic for TopN session
source and destination pairs for the selected traffic analysis task for the selected time range. Each
slice of the pie chart is a link to traffic reports for the selected source and destination session pair.

The TopN Traffic List for Session Host provides a list of the TopN session source and destination
pairs measured by volume of traffic observed for the selected probe traffic analysis task for the
selected time range. This list includes the source and destination IP addresses, total volume of traffic
generated by the source and destination session pair, and the percentage of all observed traffic
generated between the source and destination session pair. The icon
in the Details field is a
link to reports for the selected session or source and destination pair. The Host query icon
next
to the Source Host and Destination Host IP address fields is a link for initiating a host query and a

Session Host report for the session pair you want to view statistics for. Or, click the Details icon
chart.
To return to the main Session report page, click Back.

Session Host report for the session pair you want to view statistics for. Or, click the Details icon
7 Application monitoring
This chapter describes application monitoring in NTA. It provides an overview of how NTA looks
at network flow data from the viewpoint of applications, a look at the reports available for
application traffic analyses, and a review of configuration considerations around application
analysis tasks and the reports they generate. It explores the process for managing application
traffic analysis tasks. It provides a survey of the summary reports for all application tasks and a
look at the more detailed reports for an individual application traffic analysis task.
Application traffic analysis overview

Application traffic analysis tasks analyze network flow data by examining the application data in
network flow records. NTA parses network flow data and provides various statistical views of
network traffic generated by the applications configured in an application traffic analysis task. For
example, NTA provides source and destination host traffic rate information, which shows the rate
of traffic attributed to specific source or destination hosts that were observed sending or receiving
application traffic for the applications specified in a task. Session reports display the source and
destination host pairs that are observed sending or receiving traffic for the specified application.
Because analyses based on hosts are not tied to a specific data source, such as an interface,
device, or probe, these reports enable you to view application traffic rates for all areas of the
network that generate network flow records.
The NTA application traffic analysis tasks provide traffic statistics for the applications configured
in every application traffic analysis task. In general, the application traffic reports include rate of
traffic for all applications in all tasks and for the applications in a task. Application statistics provide
per-second traffic rate for each application in a task. Also, they provide distribution of application
traffic generated by source host, destination host, or by a session or source/destination host pair.
These reports are organized into multiple layers from summarized information for tasks to detailed
reporting for specific applications configured for an individual application traffic analysis task.
This chapter looks at the report structure for application traffic analyses, configuration issues around
traffic analysis tasks and the reports they generate and explores the process for managing
application traffic analysis tasks, including step-by-step instructions for adding, modifying, and
deleting tasks from NTA. This chapter provides a survey of the summary reports for all application
tasks and also looks at the more granular reports for an individual application traffic analysis task.
Application traffic analysis reporting overview

After you create the first application traffic analysis task, NTA creates an
Application Traffic
Analysis Task entry under the section Traffic Analysis and Audit on the left navigation tree.
Click Application Traffic Analysis Task on the left navigation tree to view the summary report
for all application traffic analysis tasks.
to the right of Application Traffic Analysis
Task. The Application Traffic Analysis Task shortcut menu appears to display all application traffic
analysis tasks created in NTA. Click the name link for a task to view the application traffic analysis
report of the task.
The summary application traffic analysis report includes the following contents:
Average Rate (Last 1 Hour)This bar graph provides summarized average traffic rate per
second reporting for all applications specified in all application traffic analysis tasks
summarized by task for the last hour. Each bar in the graph is a link to more detailed reporting
Application traffic analysis overview 201
for the selected task. This includes reporting for traffic rates, source, destination, and session
statistics. Each of these detailed categories include several reports:
TrafficReports found under the Traffic tab for application reporting include traffic trends
that display the average rate per second attributed to the applications in the selected task
and the data samples for the applications in the selected task.
SourceReports found under the Source tab for application reporting include a pie chart
showing the percentage of traffic generated by the TopN source hosts. Also included is
a tabular list showing volume and percentage of traffic generated for each of the TopN
source hosts that generated traffic for the selected application.
DestinationReports found under the Destination tab for application reporting include a
pie chart showing the percentage of traffic generated by the TopN destination hosts. Also
included is a tabular report showing volume and percentage of traffic generated for each
of the TopN destination hosts that generated traffic for the selected application.
SessionReports found under the Session tab for application reporting include a pie
chart showing the percentage of traffic generated by the TopN source and destination
host pairs. Also included is a tabular report showing volume and percentage of traffic
generated for each of the TopN source and destination host pairs that generated traffic
for the selected application.
Traffic Trend for Selected Task (Last 1 Hour)This line chart provides the per second average
traffic rate summarized by application traffic analysis task for the application tasks you select.
Summary List (Last 1 Hour)This list provides the per second traffic rate and the total volume
of traffic summarized by the application traffic analysis task. This list enables you to navigate
to more detailed application reporting for the selected task.
Application traffic analysis configuration considerations

There are several things to consider when you add applications to a task, the most important of
which is determining the applications that belong to each task. The following list provides more
considerations.
By default, NTA does not monitor any applications. Therefore, you must create a task for every
application or group of applications on which you want to monitor and report.
You must anticipate the locations on your network where you are certain to capture application
data. You must enable network flow data for the devices and the interfaces on them for those
locations on your network where you know the application for which you want to monitor
traffic can be captured. Then you need to add these devices and probes to NTA using the
device management and probe management features in NTA. NTA then summarizes application
data for all devices and probes on which it observes the application traffic.
NTA provides summarized application reporting based on the way you group applications
into tasks. Consider how you want to summarize, access, and view application data. Then
structure your tasks around it. For example, you can create an application task called NetMgmt
and add all of the applications used that support the network management function for your
environment. NTA summarizes all traffic observed for all applications into the group NetMgmt
and attribute traffic in the reports to the task name you have configured.
When you add applications to a task, NTA presents a list of all applications that NTA knows
about. This list is generated from the applications that came predefined in NTA and to which
user-defined applications have been added. If the applications you want to add do not appear
on this list, it is most likely because the application has not been added to NTA. For more
information on adding applications to NTA, see Modifying an NTA server configuration.
Managing application traffic analysis tasks

section explores the step-by-step process for managing application traffic analysis tasks in NTA,
including adding, modifying, or removing application traffic analysis tasks in NTA.

NTA displays all tasks in the Traffic Analysis Task List. From this list, you can view, add, modify,
and delete all tasks including application traffic analysis tasks.
2. In the settings area of the Traffic Analysis and Audit page, click the Traffic Analysis Task
Management link.
page.
Task list contents
3.
Task NameContains the name of the task. The contents of this field link to the Traffic
Analysis Task Details page for the associated task.
Task TypeIdentifies the task type, such as interface, VLAN, probe, application, host,
Baseline AnalysisAppears when the baseline analysis feature is enabled in NTA


To query NTA for the most current Traffic Analysis Task List, click the Refresh button located
in the upper left corner of the Traffic Analysis Task List.
and Baseline Analysis fields. Click the column label to sort the list by the selected field. The column
Viewing application traffic analysis task details

To view the details of an application traffic analysis task:
Management link.
Management page.
3.
In the Task Name field of the Traffic Analysis Task List whose Task Type is Application, click
the contents to view the details for an individual task.

Managing application traffic analysis tasks 203
4.
Task TypeIdentifies the traffic analysis task type interface, VLAN, probe, application,
host, VPN, or inter-business.
ReaderIdentifies the groups in IMC that have been granted access to read the reports
generated by the associated task.
Baseline AnalysisIndicates whether the baseline analysis feature is enabled for the task.
If the Baseline Analysis field is not displayed, the baseline analysis feature is disabled in
the NTA parameters. For more information on configuration options for the NTA server,
including the baseline analysis feature, see Configuring NTA traffic analysis parameters.
Application InformationIdentifies all of the applications configured for reporting in the

associated application traffic analysis task.
Interface InformationIdentifies all of the interfaces configured for reporting in the

Probe InformationIdentifies all of the probes configured for reporting in the associated
application traffic analysis task.
Adding an application traffic analysis task

To add an application traffic analysis task:
Management link.
page.
3.
Click Add.
The Add Traffic Analysis Task page appears.
4.
5.
Next to Application on the Select Task Type section, click the option to add an application
Click Next.
6.

descriptive and useful names to a task that helps you navigate to reports quickly and easily.
7.
8.

9.
To the right of the Reader field, click the Select button to select the operator groups that have
access to the analysis and reports provided by this application task.
every operator group for which you want to grant access.
b. In the upper left corner of the column label field for all boxes, click the checkbox to select
all operator groups.
c. Click OK to accept your operator group selection.
The operator groups you selected appear in the Reader field.
10. From the Baseline Analysis list, select Enable to enable the baseline analysis feature for the
reports generated by this task; otherwise, select Disable to disable the baseline analysis feature.
If the Baseline Analysis list is not displayed, the baseline analysis feature is disabled in the
You can add one or more applications to an application traffic analysis task. However, you
must add at least one and no more than 50 applications per task.
NOTE: For considerations when organizing application into tasks, see Application traffic
11. To add applications to the task, click the Add button next to the Application List field.
the dialog box.
12. To select applications to add to your task, you must first query the Application List. To do so,
follow these steps:
search criteria:
b.
ApplicationIn the Application field, enter a partial or complete name for the
applications for which you want to search.
Pre-definedFrom the Pre-defined list, do one of the following:
Select Yes to search for applications that are predefined.
Select No to filter for applications that are user-defined.
Select Not limited to include system or predefined as well as user-defined

applications.

The results of your query appear in the Application List displayed below the Query
Applications section. To display the full Application List, click Query without entering any
search criteria.
c.
Click the checkboxes next to the applications you want to add to the application traffic
analysis task.
NOTE: If the application you want to add does not exist, you can add it to NTA. For
more information on adding applications to NTA, see Managing applications.
d.
Click OK to add the applications to the application traffic analysis task you want to create.
The applications you selected are displayed in the Application List.
13. Above the Interface Information list, click the Select button to select one or more interfaces
that provide network flow data.
The Add Interface page appears.
There are two methods for adding interfaces. You can add them automatically or manually.
The sections that follow explore these two methods.
Obtaining interfaces automatically
a.
At the top of the Add Interface page, click the Obtain Automatically tab to add interfaces
automatically to the task.
All interfaces that you can select for use in a traffic analysis task appear in the Interface
Information list under the Obtain Automatically tab of the Add Interface page.
For the interfaces of a device to appear on this list, you must first add the device to NTA
using the NTA device management feature. Then you must select the device in the NTA
server configuration under Server Management.
For more information about adding a device for traffic analysis to NTA, see Device
management. For more information on selecting devices in NTA server management,
see Modifying an NTA server configuration.
The device you want to add must also be configured to forward NetStream, NetFlow, or
b.
c.
To add one or more interfaces to the task, click the checkbox next to the Interface
Description field for every interface you want to add.
When the interfaces you select are added successfully to the task, they appear in the
Configuring interfaces manually

a.
At the top of the Add Interface page, click the Configure Manually tab to add interfaces
manually to an application traffic analysis task.
The page displays the configuration options for manually adding an interface to a traffic
analysis task.
b.
Assigning a descriptive and meaningful name to an interface helps you navigate quickly
c.
For a device to appear on this list, you must first add the device to NTA using device
management. Then you must select the device in the NTA server configuration under
Server Management.
The device you want to add must be configured to forward NetStream, NetFlow, or sFlow
traffic to NTA as the traffic collector or collection server.
d.
Enter the unique interface index or ifIndex number for the interface in the Interface Index
field.
e.
Click the Resource tab to navigate to the Interface Details page for an individual device.
f.
g.
h.
Locate the device for which you want to view interface details.
In the Device Label column in the Device List All for the device for which you want to
view interface details, click the link.
i.
List link.
For more information on the contents of the Device Details page and the Interface Details
page, see Intelligent Management Center Base Platform Administrator Guide.
j.
k.
Enter the maximum speed of the interface in the Max. Speed field.
From the list next to the Max. Speed field, select the unit of measure for the interface
speed.
maximum interface speed and unit of measure you enter are correct.
l.
14. To select one or more probes that will provide network flow data, select the checkbox next to
the Probe Name field for every probe you want to select.
15. Click OK to create the application traffic analysis task.
Once you create an application traffic analysis task, NTA will create an entry called
Application
Traffic Analysis Task on the left navigation tree. Click the entry to view the summary report for the
application traffic analysis tasks.
to the right of
Application Traffic Analysis
Task. The Application Traffic Analysis Task shortcut menu appears to display all application traffic
analysis tasks created in NTA. Click the name link for a task to view the application traffic analysis
report of the task.
For more information about accessing and viewing application traffic analysis reports, see Viewing
application traffic analysis reports.
Modifying an application traffic analysis task

To modify an application traffic analysis task:
Management link.
page.
3.
for the task you want to modify.
The Modify Traffic Analysis Task page appears.
4.
In the Task Name field, modify the name for this task.
5.
6.
In the Task Description field, modify the description for this task.
From the Server list, select a new NTA, NetStream, NetFlow, or sFlow collection server.
the NTA server. If the NTA server is installed on the same server as the IMC platform, the IP
7.
application task, click the Select button next to the Reader field.
every operator group to which you want to grant access; otherwise, to select all operator
groups, click the checkbox in the upper left corner of the column label field for all boxes.
c.
d.
e.
In the Reader field, highlight the groups you want to remove to revoke operator group
access to the results of this traffic analysis task.
Click Delete.
8.
From the Baseline Analysis list, select Enable to enable the baseline analysis feature for the
reports generated by this task; otherwise, select Disable to disable the baseline analysis feature.
If you selected Enable from this list, the baseline analysis trendline is displayed on graphs that
If the Baseline Analysis list does not appear, it is because the baseline analysis feature is
disabled in the NTA parameters. For more information on configuration options for the NTA
parameters.
9.
To add more applications to the task, click the Add button next to the Application List field.
However, you must have at least one application and no more than 50 applications configured
for each task.
NOTE: For considerations when organizing application into tasks, see Application traffic
the dialog box.
To select applications to add to your task, you must first query the Application List. To do so,
perform the following steps:
10. In the Query Applications section of the dialog box, enter one or more of the following search
criteria:
a. ApplicationIn the Application field, enter a partial or complete name for the applications
for which you want to search.
b.
c.
Pre-definedDo one of the following:
From the Pre-defined list, select Yes to search for applications that are predefined.
From the list, select No to filter for applications that are user-defined.
Select Not limited to include system or predefined and user-defined applications.
If the application you want to add does not exist in the Application List, you can add it
as a user-defined application. For more information on adding applications to NTA, see
d.

section.
e.
f.
Select the checkboxes next to the applications you want to add to the application traffic
analysis task.
Click OK to add the applications to the application traffic analysis task you want to create.
g.
h.
i.
To delete an application from the list, highlight the applications you want to delete.
Click Delete next to the Application List field.
The sections that follow explore these two methods.
Obtaining interfaces automatically
a.
At the top of the Add Interface page, click the Obtain Automatically tab to add interfaces
automatically to the task.
All interfaces that can be selected for use in a traffic analysis task are displayed in the
Interface Information list under the Obtain Automatically tab of the Add Interface page.
using the NTA device management feature. Then the device must be selected in the NTA
server configuration under Server Management.
The device you want to add must also be configured to forward NetStream, NetFlow, or
b.
c.
To add interfaces to the task, select the checkbox next to the Interface Description field
for every interface you want to add.
When you add the selected interfaces successfully to the task, they appear in the Interface
Information list.
Configuring interfaces manually

a.
At the top of the Add Interface page, click the Configure Manually tab to add interfaces
manually to an application traffic analysis task.
b.
Assigning a descriptive and meaningful name to an interface helps you navigate quickly
c.
For a device to appear on this list, the device must first be added to NTA using device
management. Then the device must be selected in the NTA server configuration under
Server Management.
For more information on adding a device for traffic analysis to NTA, see Device
The device you want to add must be configured to forward NetStream, NetFlow, or sFlow
traffic to NTA as the traffic collector or collection server.
d.
In the Interface Index field, enter the unique interface index or ifIndex number for the
interface.
e.
f.
Click the Resource tab to navigate to the Interface Details page for an individual device.
g.
h.
Locate the device for which you want to view interface details.
Click the link in the Device Label column in the Device List All for the device for which
you want to view interface details.
i.
List link.
For more information on the contents of the Device Details page and the Interface Details
page, see Intelligent Management Center Base Platform Administrator Guide.
j.
k.
maximum interface speed and unit of measure you enter are correct.
l.

NOTE: You can use both methods to add interfaces to an interface traffic analysis task.
To do so, complete the steps described for each method.
12. To delete the interface, click the Delete icon
210
Application monitoring
for the interface you want to delete.
13. To modify the interface name and interface speed, click the Modify icon
you want to modify.
for the interface
This field contains a link to the Modify Interface Configuration page for the associated interface.
14. Next to the Probe Name field, click the checkbox or boxes to select one or more probes that
provide network flow data.
Leave the checkbox unchecked if you do not want to analysis the network flow data for the
associated probe.
15. Click OK to accept your modifications to the application traffic analysis task.
Deleting an application traffic analysis task

To delete an application traffic analysis task:
Management link.
page.
3.
4.

for the task you want to delete.
Click OK to confirm the deletion of the selected application traffic analysis task.
The Traffic Analysis Task List reflects the deletion of the selected task.
Viewing application traffic analysis reports

NTA provides several levels of reporting for all application tasks. There are summarized reports
for all tasks, detailed reports for an individual task, and more detailed reports for an application
within a task. All reports can be accessed by clicking the highest level entry of the left navigation
tree under the Traffic Analysis and Audit section. To view summarized reporting for all application
tasks, click the
Application Traffic Analysis Task entry of the left navigation tree.
NTA also provides more detailed reporting for individual application traffic analysis task. NTA
groups individual tasks by type. All application tasks can be found on the Application Traffic
Analysis Task menu.
To view the Application Traffic Analysis Task shortcut menu, move your mouse pointer to the shortcut
menu icon
to the right of
Application Traffic Analysis Task. The shortcut menu displays all
application traffic analysis tasks created in NTA. Click the name link for a task to view the
application traffic analysis report of the task.
This section explores the reporting options available for application traffic analysis tasks, including
a review of process to application traffic analysis tasks, a review of the summary reports available
for application tasks, and a review of the reports and features available for an individual application
Navigating to the application traffic analysis reports

To navigate to application traffic reports:
2.
Application
Traffic Analysis Task entry under the Traffic Analysis and Audit section of the left navigation
tree.
211
3.
the right of
to
Application Traffic Analysis Task.
The Application Traffic Analysis Task menu appears to display all application traffic analysis
tasks created in NTA. Click the name link for a task to view the application traffic analysis
report of the task.
Summary reports for all application tasks

Application Traffic Analysis Task entry of the left navigation tree
under the Traffic Analysis and Audit section. In addition, these reports provide navigation aids to
the reports for an individual task. This section reviews the summarized reports and their features.

The Average Rate bar graph summarizes traffic rates for all applications in every application traffic
analysis task, grouped by application traffic analysis task. You can access this graph by clicking
the
Application Traffic Analysis Task entry of the left navigation tree. The bars in the graph link
to the reports for the selected task.
Figure 124 Summary Report: Application Task Average Rate (Last 1 Hour)
Traffic trend for selected task (last 1 hour)

The Traffic Trend for Selected Task line chart provides traffic trend rates for the selected application
traffic analysis tasks for the last hour. You can access this chart by clicking the
Traffic Analysis Task entry of the left navigation tree.
Application
Figure 125 Summary Report: Traffic Trend for Selected Task
All application tasks are graphed on this line chart until you specify a task.
1. In the upper right corner of the Traffic Trend for Selected Task title bar, click the Select Task
link to select the task.
212
2.
3.
Click the checkbox next to the application task for which you want to view this report.
Click OK.
The page will update to display an updated line chart for the selected application task.

The Summary List provides traffic rates and total volume of traffic statistics summarized by application
task.
1.
On the left navigation tree, click the
Application Traffic entry icon to access the list.
2.
Task NameContains the name of the application traffic analysis task. The contents of
this field link to reports for associated task.
TrafficProvides the total volume of traffic observed for all applications configured for
the associated application task for the last hour.
RateProvides the rate traffic for all applications configured for the associated task for
the last hour.
At the top of the Summary List, click the Add button for a shortcut to the Add Application Traffic
Analysis Task page.
For more information on adding application traffic analysis tasks, see Adding an application
3.
Detailed reports for an application traffic analysis task

In addition to summary reporting for all tasks, NTA provides a suite of reports for viewing application
data from different perspectives. Reports for applications are organized into four reporting groups:
traffic, source, destination, and session.
Traffic reports for application tasks provide overall traffic statistics as well as the data samples
collected for the specified time period.
Source reports provide distribution of traffic for the TopN source hosts for all applications in
a task as well a total traffic volume and percentage of application traffic for the TopN hosts.
Destination reports provide distribution of traffic for the TopN destination hosts for all
applications in a task as well a total traffic volume and percentage of application traffic for
the TopN destination hosts.
Session reports provide distribution of traffic for the TopN session pairs for all applications in
a task as well a total traffic volume and percentage of application traffic for session pairs in
a task.
Source, destination, and session reports provide detailed capabilities to traffic reports for an
individual host/session pair.
Traffic reports
Traffic reports for an application traffic analysis task include the Traffic Trend line chart that provides
average per second traffic rates for all applications in the selected traffic analysis task for the
selected time range. This report also summarizes total traffic as well as the average, minimum
average and maximum average rate for all applications in the selected task.
The traffic reports include the Traffic Details list that provides the data collection samples that
includes timestamp, total volume of traffic and traffic rate in seconds for all applications in the
selected task for the selected time range. You can filter reports by time range.
To view the reports for an application task, click the Traffic tab to view traffic reports for the selected
213
Query traffic
tab.
icon
2.
in the query
3.

time.
time.
4.
Click OK.
The page will update to display the results of your query.
5.
a.
b.
c.

on the toolbar.
d.
e.

on the toolbar.
f.
g.
Adobe Acrobat (PDF)

Click Export.

The Traffic Trend line chart displays the average per second traffic rate for all applications in the
selected traffic analysis task. This chart also provides average, minimum average, maximum
average, and total traffic volume statistics in a tabular format for all applications in the associated
task. If there is more than one application for the selected task, these statistics reflect traffic for all
applications configured in a task.
214
Figure 126 Traffic Report: Traffic Trend Report
Trend chart displays statistics for the previous hour.

1. To view data for an earlier period, click the Previous button located in the upper right corner
2. To view data for a later period, click the Next button located in the upper right corner of the
the associated task for the selected time range. This chart contains two lines. The red line displays
the maximum peak rate. The green line displays the MIN peak rate.
1.
2.
In the upper right corner of the Traffic Trend chart, click the Previous button to view data for
an earlier period.
In the upper right corner of the Traffic Trend chart, click the Next button to view data for a
later period.
parameters.
Traffic details
The Traffic Details list provides the data collection samples for traffic statistics for all applications
in the task based on the report time range. This report includes timestamp, total volume of traffic
and traffic rate in seconds for both inbound and outbound traffic for the selected time range.
215
Source reports
Source reports include the TopN Traffic Report for Source Host pie chart, which displays the
distribution of traffic for the TopN source hosts for all applications in the selected traffic analysis
task for the selected time range. This report also contains a link to traffic reports for the selected
host.
Source reports also include the TopN Traffic List for Source Host, which provides a list of the TopN
source hosts measured by volume of traffic observed on all applications in the selected application
traffic analysis task for the selected time range. This report also contains a link to reports for the
selected source host.
The host query icon
next to the Source IP address is a link for initiating a host query and the
results of the host query. As with all of the report types for an application task, NTA also provides
To view the reports for an application task, click the Source tab to view traffic reports for the selected
Query source hosts
icon
2.
in the query
3.

10.153.89.10

10.153.89.0/255.255.255.0

10.153.89.0/24

a001:410:0:1::1

216
a001:410:0:1::1/6
time.
time.
4.
Click OK.
5.
a.
b.
c.

on the toolbar.
d.
e.

on the toolbar.
f.
g.
Adobe Acrobat (PDF)

Click Export.

inbound/outbound application traffic in a certain period of time in a selected application traffic
analysis task. Click a bar in the chart to view the traffic analysis report of each source host.
distribution of the TopN source hosts for all applications in the selected traffic analysis task for the
selected time range. Each slice of the pie chart serves as a link for navigating to traffic reports for
the selected host.
217

of traffic observed for all applications in the selected application traffic analysis task for the selected
time range. This list includes the source host IP address, total volume of traffic for the associated
source host and the percentage of all observed traffic generated by the source host.
The IP address is a link to reports for the selected source host. The host query icon
next to the
Source IP address is a link for initiating a host query and a link to the results of the host query.
Figure 130 Source Report: TopN Traffic List for the Source Host
Source host traffic trend report

To view this report for an application task, click the slice of the pie chart on the TopN Traffic Report
for Source Host report for the source host you want to view statistics for. Or, click the IP address
for the source host you want to view statistics for from the TopN Traffic List for Source Host list.
The Source Host Traffic Trend Report line chart provides the average rate of traffic for the selected
source host. By default, the Source Host Traffic Trend Report chart displays statistics for the previous
hour.
period.
218
2.
Figure 131 Source Report: Source Host Traffic Trend Report
TopN destination hosts communicating with the source host

for Source Host report for the source host you want to view statistics for. Or, click the IP address
for the source host you want to view statistics for from the TopN Traffic List for Source Host list.
The TopN Destination Hosts Communicating with the Source Host displays the TopN destination
host IP address, the volume of traffic sent and received between this source host and the destination,
and the percentage of all traffic observed for this source host.
Figure 132 Source Report: TopN Destination Hosts Communicating with Source Host
Destination reports
Destination reports include the TopN Traffic Report for Destination Host pie chart, which displays
the distribution of inbound traffic observed for the TopN destination hosts for all applications in
the selected traffic analysis task for the selected time range. This report also contains a link to traffic
reports for the selected host.
Destination reports also include the TopN Traffic List for Destination Host, which provides a list of
the TopN destination hosts measured by volume of traffic observed on all applications in the
selected application traffic analysis task for the selected time range. This report also contains a
link to reports for the selected destination host. The host query icon
next to the Destination IP
address is a link for initiating a host query and the results of the host query.
As with all of the report types for an application task, NTA provides a query option for filtering
To view the reports for an application task, click the Destination tab to view traffic reports for the
selected application traffic analysis task.
219
Query destination hosts

Destination tab.
criteria icon
2.
in
3.

10.153.89.10

10.153.89.0/255.255.255.0

10.153.89.0/24

a001:410:0:1::1

a001:410:0:1::1/64
time.
time.
4.
Click OK.
5.
a.
b.
c.

on the toolbar.
d.
e.

on the toolbar.
f.
g.
Adobe Acrobat (PDF)

Click Export.
TopN traffic report by destination host

The TopN Traffic Report for Destination Host bar chart displays the TopN destination hosts with the
most inbound/outbound application traffic in a certain period of time in a selected application
traffic analysis task. Click a bar for a destination host in the bar chart to view the traffic analysis
report of the destination host.
distribution of TopN destination hosts for all applications in the selected traffic analysis task for the
selected time range. Each slice of the pie chart serves as a link for navigating to traffic reports for
the selected host.

by volume of traffic observed for all applications in the selected application traffic analysis task
for the selected time range. This list includes the host IP address, total volume of traffic generated
by the associated destination host and the percentage of all observed traffic generated by the
destination host.
Viewing application traffic analysis reports 221
next to
the Destination IP address is a link for initiating a host query as well as a link to the results of the
host query.
Destination host traffic trend report

for Destination Host report for the destination host you want to view statistics for. Or, click the IP
The Destination Host Traffic Trend Report line chart provides the average rate of traffic for the
selected destination host. By default, the Destination Host Traffic Trend Report chart displays statistics
period.
Figure 135 Destination Report: Destination Host Traffic Trend Report
TopN source hosts communicating with the destination host

for Destination Host report for the destination host you want to view statistics for. Or, click the IP
The TopN Source Hosts Communicating with the Destination Host displays the TopN source host
IP addresses, the volume of traffic sent and received between this destination host and the sources,
and the percentage of all traffic observed for this destination host and the source hosts.
Figure 136 Destination Report: TopN Source Hosts Communicating with the Destination Host
Session reports
Session reports include the TopN Traffic Report for Session Host pie chart, which shows the
distribution of traffic for the TopN session hosts for all applications in the selected traffic analysis
task for the selected time period. This report also contains a link to traffic reports for the selected
host.
Session reports also include the TopN Traffic List for Session Host, which provides a list of the TopN
session hosts measured by volume of traffic observed for all applications in the selected application
traffic analysis task for the selected time period. This report also contains a link to reports for the
selected session host.
The host query icon
next to Session IP address is a link for initiating a host query and the results
of the host query. As with all of the report types for an application task, NTA also provides a query
option for filtering reports based on criteria you define.
To view the reports for an application task, click the Session tab to view traffic reports for the
selected application traffic analysis task.
Query sessions
icon
2.
in the query
3.

10.153.89.10

10.153.89.0/255.255.255.0

10.153.89.0/24

a001:410:0:1::1
a001:410:0:1::1/64
time.
time.
4.
Click OK.
5.
a.
b.
c.

on the toolbar.
d.
e.

on the toolbar.
f.
g.
Adobe Acrobat (PDF)

Click Export.

The TopN Traffic Report for Session Host pie chart displays the distribution of inbound traffic for
TopN source and destination session pairs for all applications in the selected traffic analysis task
for the selected time period. Each slice of the pie chart is a link to traffic reports for the select source
and destination session pair.

The TopN Traffic List for Session Host provides a list of the TopN source and destination session
pairs measured by volume of traffic observed for all applications in the selected application traffic
analysis task for the selected time range. This list includes the source and destination host IP
addresses, total volume of traffic generated by the source and destination session pair and the
percentage of all observed traffic generated between the source and destination session pair.
The icon
in the Details field is a link for viewing reports for the selected session or
source/destination pair. The host query icon

next to the Source Host and Destination Host IP
address fields is a link for initiating a host query as well as a link to the results of the host query.
Session traffic trend report

for Session Host report for the session pair you want to view statistics for. Or, click the Details icon
The Session Traffic Trend Report line chart provides the average rate of traffic for the source and
destination host pair. By default, the Session Traffic Trend Report chart displays statistics for the
previous hour.
period.
Figure 139 Session Report: Session Traffic Trend Report
Session traffic list

for Session Host report for the session pair you want to view statistics for. Or, click the Details icon
The Session Traffic List displays the data samples for the selected source and destination pair. This
list displays the date and timestamp for the data collection, the total volume of traffic observed for
the session pair and the rate of traffic for the collection interval.
Figure 140 Session Report: Session Traffic List
8 Host monitoring
This chapter describes host monitoring in NTA, including how NTA analyzes network flow records
to report on network traffic from a host perspective. It provides an overview of how NTA looks at
network flow data from the viewpoint of hosts; how it reviews the report structure for host traffic
reports; and how it manages configuration issues around host analysis tasks and the reports they
generate. This chapter explores the process for adding host traffic analysis tasks. It describes the
step-by-step instructions for adding, modifying, and deleting host tasks in NTA. It surveys the
summary reports for all host tasks. Finally, it looks at the more detailed reports for an individual
host traffic analysis task.
Host traffic analysis overview

Host traffic analysis tasks analyze network flow data by the IP addresses of hosts configured in a
host traffic analysis task. NTA parses all network flow data and provides various statistical views
of traffic that was observed for the hosts configured in a host traffic analysis task. For example,
NTA provides application information reporting for a given host or set of hosts. NTA displays the
rate of application traffic attributed to the specified hosts observed sending or receiving application
traffic. Because analyses based on hosts are not tied to a specific interface, device, or probe
network flow data sources, host reports provide visibility for all areas of the network that generate
network flow records.
The NTA host traffic analysis tasks provide traffic statistics for all hosts configured in the host traffic
analysis tasks. In general, the host traffic reports include rate of traffic for all hosts in all configured
host traffic analysis tasks and for the hosts in a task. Host statistics include per-second traffic rate
for each host; for application traffic observed for the configured host; and for distribution of host
traffic generated by source host, destination host, or by a session or source/destination host pair.
These reports are organized into multiple layers from summarized information for tasks to detailed
reporting for specific hosts configured for a host traffic analysis task.
Host traffic analysis reporting overview

After you create the first host traffic analysis task, NTA creates an entry called
Host Traffic
Click Host Traffic Analysis Task on the left navigation tree to view the summary report for all host
to the right of
Host Traffic Analysis Task.
The Host Traffic Analysis Task shortcut menu appears to display all host traffic analysis tasks created
in NTA. Click the name link for a task to view the host traffic analysis report of the task.
The summary host traffic analysis report includes the following contents:
reporting for all hosts specified in all host traffic analysis tasks summarized by task name.
Each bar in the graph is a link to more detailed reporting for the selected task, including
reporting for traffic rates, application, source, destination, and session statistics. Each of these
detailed report types also include several reports:
TrafficReports found under the Traffic tab for host reporting include traffic trends that
display the average rate per second attributed to the hosts in the selected task and the
data samples for the selected host task.
ApplicationReports found under the Application tab for host reporting include a tabular
report showing volume, rate and percentage of application traffic summarized for all
hosts in the task and a graph showing average rate of traffic by application for all hosts.
Host traffic analysis overview 227
SourceReports found under the Source tab for host reporting include inbound and
outbound reports. The contents of the inbound and outbound pie chart link to more detailed
reporting for the selected host.
Inbound reportIncludes a pie chart showing the percentage of traffic sent from the
TopN source hosts to the hosts configured in the selected task. It also includes a
tabular list showing volume and percentage of traffic generated for each of the TopN
source hosts that generated traffic to the hosts that configured in the selected task.
Outbound reportIncludes a pie chart showing the percentage of traffic sent from
the hosts configured in the selected task to any other hosts. It also includes a tabular
list showing volume and percentage of traffic generated for each of the TopN source
hosts that configured in the selected task.
The contents of the inbound and outbound pie chart link to more detailed reporting for
the selected host.
DestinationReports found under the Destination tab for host reporting include inbound
and outbound reports. The contents of the inbound and outbound pie chart link to more
Inbound reportIncludes a pie chart showing the percentage of traffic sent to the
hosts configured in the selected task by any other hosts. Also included is a tabular
report showing volume and percentage of traffic sent to each of the TopN destination
hosts that configured in the selected task by any other hosts.
Outbound reportIncludes a pie chart showing the percentage of traffic sent to the
TopN destination hosts by the hosts configured in the task. Also included is a tabular
report showing volume and percentage of traffic sent to each of the TopN destination
hosts by the hosts that configured in the selected task.
The contents of the inbound and outbound pie chart link to more detailed reporting for
the selected host.
228 Host monitoring
SessionReports found under the Session tab for host reporting include inbound and
outbound reports. The contents of the pie chart link to more detailed reporting for the
selected sessions.
Inbound reportIncludes a pie chart, which displays the percentage of traffic

generated by the TopN source/destination pairs with the destination hosts configured
in the selected task, and a table, which displays the volume and percentage of traffic
generated for each of the TopN source/destination pairs with the destination hosts
configured in the selected task.
Outbound reportIncludes a pie chart, which displays the percentage of traffic

generated by the TopN source/destination pairs with source hosts configured in the
selected task, and a table, which displays the volume and percentage of traffic
generated for each of the TopN source/destination pairs with source hosts configured
in the selected task.
The contents of the pie chart link to more detailed reporting for the selected sessions.
Traffic Trend and TopN Application for Selected Task (Last 1 Hour)This section offers two
charts:
A line chart that provides per second average traffic rate summarized by host traffic
analysis task for the host tasks you select.
A pie chart that provides distribution statistics for application traffic for all hosts in the
task.
Summary List (Last 1 Hour)This list provides per second traffic rate summarized by host
traffic analysis task. This list provides navigation to more detailed host reporting for the selected
task.
Host traffic analysis configuration considerations

This section explores configuration considerations and how to get the most out of the NTA host
reporting features. There are several things to consider when you add hosts to a task, the most
influential of which is how you select which hosts belong to each task. The following list provides
additional considerations.
By default, NTA does not monitor any hosts. You must create a task for every host or group
of hosts on which you want to monitor and report.
You must enable network flow data on the devices and for the interfaces on them for those
locations on your network where you know host traffic for can be captured. Then you need
to add these devices and probes to NTA using the Device management and Probe
management features in NTA. NTA then summarizes application data for all devices and
probes on which it observes the application traffic.
NTA provides summarized host reporting based on the way you have grouped hosts into
tasks. Consider how you want to summarize, access, and view host data. Then structure your
tasks around it. For example, you can create a host task called NetMgmtHosts and add all
of the hosts used in your environment that support network management. NTA summarizes all
traffic observed for all hosts into the group NetMgmtHosts and attribute traffic in the reports
to the task name you have configured.
Managing host traffic analysis tasks

create. Until you create a task, NTA does not analyze the data that devices forward to it or that
it is configured to receive. Effective management of tasks results in the reporting you need. This
section explores the step-by-step process for adding, modifying, or removing host traffic analysis
tasks in NTA.

Management link.
page.
Managing host traffic analysis tasks 229
Task list contents
3.
inter-business.
Baseline AnalysisAppears when the baseline analysis feature is enabled in the NAT

upper left corner of the Traffic Analysis Task List.
NOTE: You can sort the Traffic Analysis Task List by the Name, Task Description, Task Type, and
Viewing host traffic analysis task details

To view the details for a traffic analysis task:
Management link.
page.
3.
In the Task Name field of the Traffic Analysis Task List whose Task Type is Host, click the
contents to view the details for an individual task.
inter-business.
If the Baseline Analysis field is not displayed, the baseline analysis feature is disabled on
the NTA server. For more information about configuration options for the NTA server,
IP Stat. DirectionIdentifies whether the specified IP addresses are included. Include

indicates that IP addresses in the Host IP List are included. Exclude indicates that the IP
addresses in the Host IP List are excluded.
Host IP ListContains the IP address for all hosts configured for this traffic analysis task.
Application ListIdentifies all applications configured for the associated traffic analysis
task.
230 Host monitoring
4.
Interface InformationIdentifies all of the interfaces configured for reporting in the

Probe InformationIdentifies all of the probes configured for reporting in the associated
Adding a host traffic analysis task

To add a host traffic analysis task:
Management link.
Management page.
3.
Click Add.
4.
5.
To add a host traffic analysis task, click the option next to Host on the Select Task Type section.
Click Next.
6.

descriptive and useful names to a task that help you navigate to reports quickly and easily.
7.
8.

9.
access to the analysis and reports provided by this host task.
every operator group you want to grant access to.
b. To select all operator groups, select the checkbox in the upper left corner of the column
label field for all boxes.
c. Click OK to accept your operator group selection. The selected operator groups are
displayed in the Reader field.
reports generated by this task; select Disable to disable the baseline analysis feature.
trendline displays statistics based on the first weeks collection. Statistics are adjusted over
disabled in the NTA parameters. For more information about configuration options for the
NTA parameters, including the baseline analysis feature, see Configuring NTA traffic analysis
parameters.
Managing host traffic analysis tasks
231
11. To include traffic from one or more hosts or address ranges, select Include from the IP Stat.
Direction list.
To exclude traffic from one or more hosts or address ranges, select Exclude. The default setting
is Include.
You can add one or more hosts or address ranges to a task. However, you must have at least
one host defined and no more than 50 host entries defined for each task.
NOTE: For considerations about organizing application into tasks, see Host traffic analysis
configuration considerations.
You can configure a host traffic analysis task to include or exclude traffic for one or more
hosts defined by IP address. You can enter a range of IP addresses to be included or excluded
in the analysis. Or, you can enter a combination of IP host addresses and IP address ranges
to be included or excluded in the analysis. No two addresses or address ranges entered in
the Host IP field can overlap.
12. In the Host IP field, enter the IP address for a single host, and enter the IP address using dotted
decimal notation to add IP address entries.
10.153.89.10

10.153.89.0/255.255.255.0

10.153.89.0/24

a001:410:0:1::1

a001:410:0:1::1/64
13. To the right of the Host IP field, click the Add button.
The addresses and masks you entered are added to the Host IP List field displayed below the
Host IP field.
You also configure host analysis tasks to include applications. You can have more than one
application configured for a host traffic analysis tasks. Traffic data for the selected applications
is included in report processing and presentation. You must have at least one application and
no more than 50 applications configured for a host traffic analysis task.
14. To the right of the Application List field, click the Add button to add applications to the task.
The Query Applications dialog box appears and an empty Application List appears in the
lower portion of the dialog box.
To select applications to add to your task, you must first query the Application List. To do so,
perform the following steps:
232 Host monitoring
a.
the dialog box:
Pre-definedTo search for predefined applications, select Yes from the Pre-defined
list.
To filter for applications that are user-defined, select No from the list.
b.

The results of your query are displayed in the Application List displayed below the Query
c.
d.
Check the boxes next to the applications to add to the host traffic analysis task.
Click OK to add the applications to the host traffic analysis task you want to create.
To add interfaces automatically

a. Click the Obtain Automatically tab at the top of the Add Interface page.
All interfaces that can be selected for use in a traffic analysis task appear in the
Interface Information list under the Obtain Automatically tab of the Add Interface
page.
For the interfaces of a device to appear on this list, you must first add the device to
NTA using the NTA device management feature. Then you must select the device in
the NTA server configuration under server management. For more information about
adding a device for traffic analysis to NTA, see Device management. For more
information about selecting devices in NTA server management, see Modifying an
NTA server configuration.
The device you want to add must also be configured to forward NetStream, NetFlow,
or sFlow traffic to NTA as the traffic collector or collection server.
b.
c.
Next to the Interface Description field, click the boxes to select one or more interfaces
to add to the task.
When the interfaces you select are added successfully to the task, they appear in
the Interface Information list.
To configure interfaces manually
a.
Click the Configure Manually tab to add interfaces manually to a host traffic analysis
task.
The page will update to display the configuration options for manually adding an
interface to a traffic analysis task.
b.
Enter a name for the interface at the top of the Add Interface page, in the Interface
Name field.
Assigning a descriptive and meaningful name to an interface will help you to navigate
c.
server management.
management. For more information about selecting devices in NTA server
The device you want to add must be configured to forward NetStream, NetFlow, or
d.
Enter the unique interface index or ifIndex number for the interface in the Interface
Index field.
e.
f.
From the tabular navigation system on the top, click the Resource tab to navigate to
the Interface Details page for an individual device.
On the navigation tree on the left, click Device View under View Management section.
g.
In the Device Label column in the Device List All, click the link for the device for
which you want to view interface details.
h.
In the Interfaces field of the Device Details page, click the Interface List link for the
selected device.
Details page, see the IMC Base Platform Administrator Guide.
i.
j.
In the list next to the Max. Speed field, select the unit of measure for the interface
speed.
CAUTION: Assigning an incorrect interface maximum speed and unit of measure
to an interface results in incorrect statistical analysis and reporting of metrics. Verify
that the maximum interface speed and unit of measure you enter are correct.
k.

NOTE: You can use both methods to add interfaces to an interface traffic analysis
task. To do so, complete the steps described for each method.
l.
234 Host monitoring
To select one or more probes that will provide network flow data, click the box next
to the Probe Name field for every probe you want to select.
16. Click OK to create the host traffic analysis task.

Once you create a host traffic analysis task, NTA will create an entry called
Host Traffic Analysis
Task on the left navigation tree. Click the entry to view the summary report for the host traffic
analysis tasks.
to the right of
The Host Traffic Analysis Task shortcut menu appears to display all host traffic analysis tasks created
For information about accessing and viewing host traffic analysis reports, see "Viewing host traffic
analysis reports."
Modifying a host traffic analysis task

To modify a host traffic analysis task:
Management link.
page.
3.
4.

associated with the host traffic analysis task you want to modify.
In the Task Name field, modify the name for this task.
5.
6.
7.
host task, click the Select button to the right of the Reader field.
every operator group to which you want to grant access.
To select all operator groups, click the checkbox in the upper left corner of the column
label field.
b.
Click OK to accept your operator group selection.

c.
d.
e.
To revoke operator group access to the results of this traffic analysis task, highlight the
groups you want to remove.
Click Delete.
8.
reports generated by this task; to disable the baseline analysis feature, select Disable.
trendline shows statistics based on the first weeks collection and is adjusted over time as more
data is collected.
If the Baseline Analysis list is not displayed, it is because the baseline analysis feature is
disabled in the NTA parameters. For more information about configuration options for the
NTA parameters, including the baseline analysis feature, see Configuring NTA traffic analysis
parameters.
9.
From the IP Stat, select Include to include traffic from one or more hosts or address ranges; to
exclude traffic from one or more hosts or address ranges, select Exclude. The default setting
is Include.
You can configure a host traffic analysis task to include or exclude traffic for one or more
hosts defined by IP address. You can enter a range of IP addresses to be included or exclude
in the analysis. Or, you can enter a combination of IP host addresses and IP address ranges
to be included or exclude in the analysis. No two addresses or address ranges entered in the
Host IP field can overlap. You must configure at least one host address or address range and
no more than fifty host entries for a task.
NOTE: For considerations about organizing application into tasks, see Host traffic analysis
10. To add IP address entries in the Host IP field, perform the following instructions:
a. To enter the IP address for a single host, enter the IP address using dotted decimal notation.
10.153.89.10

10.153.89.0/255.255.255.0

10.153.89.0/24

a001:410:0:1::1

a001:410:0:1::1/64
b.
To the right of the Host IP field, click the Add button.

The addresses and masks you entered are added to the Host IP List field displayed below
the Host IP field.
c.
d.
e.
To remove one or more hosts from the task, highlight the hosts and/or address ranges
you want to remove.
To the right of the Host IP List field, click the Delete button.
Click OK, when prompted, to confirm the deletion of the selected hosts or addresses
ranges.
The Host IP List is updated to reflect the host or address range deletions.
Configure host analysis tasks to include applications. Traffic data for the selected
applications is included in report processing and presentation.
Configure more than one application per task but you must configure at least one
application and no more than fifty applications configured for a host traffic analysis task.
11. To the right of the Application List field, click the Add button to add applications to the task.
The Query Applications dialog box appears and an empty Application List appears in the
lower portion of the dialog box.
To select applications to add to your task, you must first query the Application List. To do so:
12. In the Query Applications section of the dialog box, enter one or more of the following search
criteria:
236 Host monitoring
a.
b.
ApplicationEnter a partial or complete name for the applications you want to search
for in the Application field.
Pre-definedTo search for applications that are predefined, select Yes from the Pre-defined
list.
To filter for applications that are user-defined, select No from the list.
c.
d.

section.
e.
f.
Click the checkboxes next to the applications you want to add to the application traffic
analysis task.
Click OK to add the applications to the traffic analysis task you want to create.
The applications you selected appear in the Application List.
g.
h.
i.
To remove one or more applications from the task, highlight the applications you want
to remove.
To the right of the Application List field, click the Delete button.
The Application List reflects the deletions.
There are two methods for adding interfaces. You can add them automatically or configure
them manually.
To obtain interfaces automatically

a. Click the Obtain Automatically tab at the top of the Add Interface page.
All interfaces that can be selected for use in a traffic analysis task appear in the
Interface Information list under the Obtain Automatically tab of the Add Interface
page.
For the interfaces of a device to appear on this list, you must first add the device to
NTA using the NTA device management feature. Then you must select the device in
the NTA server configuration under server management.
The device you want to add must also be configured to forward NetStream, NetFlow,
or sFlow traffic to NTA as the traffic collector or collection server.
b.
c.
Next to the Interface Description field, click the boxes to select one or more interfaces
to add to the task.
When the interfaces you select are added successfully to the task, they appear in
the Interface Information list.
To configure interfaces manually

a.
Click the Configure Manually tab to add interfaces manually to a host traffic analysis
task.
The page will update to display the configuration options for manually adding an
interface to a traffic analysis task.
b.
Enter a name for the interface at the top of the Add Interface page, in the Interface
Name field.
Assigning a descriptive and meaningful name to an interface will help you to navigate
c.
server management.
The device you want to add must be configured to forward NetStream, NetFlow, or
d.
Enter the unique interface index or ifIndex number for the interface in the Interface
Index field.
e.
f.
From the tabular navigation system on the top, click the Resource tab to navigate to
the Interface Details page for an individual device.
On the navigation tree on the left, click Device View under View Management section.
g.
In the Device Label column in the Device List All, click the link for the device for
which you want to view interface details.
h.
In the Interfaces field of the Device Details page, click the Interface List link for the
selected device.
i.
j.
In the list next to the Max. Speed field, select the unit of measure for the interface
speed.
CAUTION: Assigning an incorrect interface maximum speed and unit of measure
to an interface results in incorrect statistical analysis and reporting of metrics. Verify
that the maximum interface speed and unit of measure you enter are correct.
k.

NOTE: You can use both methods to add interfaces to an interface traffic analysis
task. To do so, complete the steps described for each method.
14. To delete the interface, click the Delete icon

238 Host monitoring
for the interface you want to delete.
15. To modify the interface name and interface speed, click the Modify icon
you want to modify.
for the interface
This field contains a link to the Modify Interface Configuration page for the associated interface.
16. To select one or more probes that provide network flow data, select the checkbox next to the
Probe Name field for every probe you want to select.
Leave the checkbox unchecked if you do not want to analysis the network flow data for the
associated probe.
17. Click OK to accept your modifications to the host traffic analysis task.
Deleting a host traffic analysis task

To delete a host traffic analysis task:
Management link.
page.
3.
4.

Click OK to confirm the deletion of the selected host traffic analysis task.
Viewing host traffic analysis reports

NTA provides several levels of reporting for all host tasks. There are summarized reports for all
tasks, detailed reports for an individual task, and more detailed reports for a host within a task.
All reports can be accessed by clicking the highest level branch of the left navigation tree under
the Traffic Analysis and Audit section.
To view summarized reporting for all host tasks, click the
left navigation tree.
Host Traffic Analysis Task entry in the
NTA also provides more detailed reporting for individual tasks, including reports for every host
configured in a host traffic analysis task. NTA groups individual tasks by type. All host tasks can
be found on the Host Traffic Analysis Task menu.
To view the Host Traffic Analysis Task shortcut menu, move your mouse pointer to the shortcut menu
icon
to the right of
Host Traffic Analysis Task. The shortcut menu displays all host traffic
analysis tasks created in NTA. Click the name link for a task to view the host traffic analysis report
of the task.
This section describes the reporting options available for host traffic analysis tasks, and reviews
the process for navigating to host traffic analysis tasks, the summary reports available for host
tasks, and the reports and features available for an individual host traffic analysis task.
Navigating to the host traffic analysis reports

To navigate to host traffic reports:
2.
Analysis Task entry to view summary reporting for all host tasks.
Host Traffic
Viewing host traffic analysis reports 239
3.
the right of
to
The Host Traffic Analysis Task menu appears to display all host traffic analysis tasks created
Summary reports for all host tasks

Host Traffic Analysis Task entry of the left navigation tree under
reports for an individual task. This section reviews the summarized reports.
The Average Rate bar graph summarizes the average inbound and outbound traffic rates for all
hosts in every host traffic analysis task, grouped by host traffic analysis task for the last hour. You
can access this graph by clicking the
Host Traffic Analysis Task entry of the left navigation tree.
The bars in the graph serve as a link for navigating to the reports for the selected task.
The Traffic Trend and TopN Application for Selected Task includes a line chart and a pie chart. The
line chart provides traffic trend rates for inbound or outbound traffic for the selected host traffic
analysis tasks for the last hour. The pie chart displays the distribution of inbound or outbound TopN
applications traffic for the selected host traffic analysis tasks for the last hour. You can access this
chart by clicking the
Host Traffic Analysis Task entry of the left navigation tree.
The Traffic Trend In line chart provides traffic trend rates for inbound traffic for the selected host
traffic analysis tasks for the last hour.
The Traffic Trend Out line chart provides traffic trend rates for outbound traffic for the selected
host traffic analysis tasks for the last hour.
The TopN Application In pie chart displays the distribution of inbound TopN applications traffic
for the selected host traffic analysis tasks for the last hour.
The TopN Application Out pie chart displays the distribution of outbound TopN applications
traffic for the selected host traffic analysis tasks for the last hour.
240 Host monitoring
Figure 142 Summary Report: Traffic Trend and TopN Application for Selected Task
1.
To select the task, click the Select Task link in the upper right corner of the Traffic Trend and
2.
3.
Click the checkbox next to the host task for which you want to use for this report.
Click OK.
The page displays an updated line chart for the selected host task.

The Summary List provides traffic rates statistics summarized by host task.
Task NameContains the name of the host traffic analysis task. The contents of this field link
to reports for the associated task.
Total RateProvides the combined inbound and outbound rate for the associated task.
In RateProvides the rate traffic for all hosts configured for the associated task for the last
hour.
Out RateProvides the rate traffic for all hosts configured for the associated task for the last
hour.
The Add button located at the top of the Summary List provides you with a shortcut to the Add
Host Traffic Analysis Task page.
1.
For more information about adding host traffic analysis tasks, see Adding a host traffic
analysis task.
2.
241
Detailed reports for a host traffic analysis task

In addition to summary reporting for all tasks, NTA provides a suite of reports for viewing host
data from different perspectives. Reports for hosts are organized into five reporting groups:
Traffic reportsProvide overall traffic statistics and the data samples collected for the specified
time period.
Application reportsProvide rate of traffic statistics by application with detailed information

for an individual application.
Source reportsProvide distribution of traffic for the TopN source hosts as well a total traffic
volume and percentage of host traffic for the TopN hosts.
Destination reportsProvide distribution of traffic for the TopN destination hosts as well a
total traffic volume and percentage of host traffic for the TopN destination hosts.
Session reportsProvide distribution of traffic for the TopN session pairs for all hosts in a task
as well a total traffic volume and percentage of host traffic for session pairs in a task.
Source, destination, and session reports enable you to get detailed information about traffic reports
for an individual host/session pair.
Traffic reports
Traffic reports for a host traffic analysis task include the Traffic Trend line chart that provides average
per second traffic rates for all hosts in the selected traffic analysis task for the selected time range.
This report also summarizes total traffic and the average, minimum, and maximum rate for all hosts
in the selected task. The traffic reports include the Traffic Details List that provides the data collection
samples that includes timestamp, total volume of traffic and traffic rate in seconds for all hosts in
the selected task for the selected range. NTA also provides a query option for filtering reports
based on criteria you define.
To view the reports for a host traffic analysis task, click the Traffic tab to view traffic reports for the
selected host traffic analysis task.
Query traffic
tab.
icon
2.
in the query
3.

time.
time.
242 Host monitoring
4.
Click OK.
5.
a.
b.
c.

on the toolbar.
d.
e.

on the toolbar.
f.
g.
Adobe Acrobat (PDF)

Click Export.

The Traffic Trend combination line and area chart provides average per second traffic rate for all
hosts in the selected traffic analysis task for the selected time range. This chart also provides
average, minimum average, maximum average, and total traffic volume statistics in a tabular
format for all hosts in the associated task. If there is more than one host for the selected task, these
statistics reflect traffic for all hosts configured in a task.
green line is the baseline and the red area is the average traffic rate. For more information about
configuring the baseline analysis feature for the host traffic analysis task, see Configuring NTA
traffic analysis parameters.

contains four lines, Max. In Peak Rate, Min. In Peak Rate, Max. Out Peak Rate, and Min. Out Peak
Rate.
shows the Max./Min. In Peak Rate chart and the Max./Min. Out Peak Rate chart under the Traffic
Trend chart. For more information about configuring the baseline analysis feature for the host traffic
analysis task, see Configuring NTA traffic analysis parameters.
244 Host monitoring
For more information about enabling peak traffic analysis, see Configuring NTA traffic analysis
parameters.
Traffic details
The Traffic Details list provides the data collection samples for traffic statistics for all hosts in the
task for the selected time range. This report includes timestamp, total volume of traffic and traffic
rate in seconds for both inbound and outbound traffic for the selected time range.
Application reports
category for all hosts in a task, with detailed information about an individual application. Application
reports for a host traffic analysis task include the Application List, which provides a list of applications
observed for all hosts in the selected host traffic analysis task. This list includes total volume of
traffic for the associated application, rate of traffic, and the percentage of all observed traffic
observed on all hosts generated by the associated application. This report also enables you to
provide detailed reports for the selected application. The Application Traffic Trend stacked area
chart provides average inbound or outbound traffic rates for all applications observed for all hosts
in the selected traffic analysis task.
Protocol reports for a host traffic analysis task include the Protocol List, which provides a list of
protocols observed for all hosts in the selected host traffic analysis task. This list includes total
volume of traffic for the associated protocol, rate of traffic, and the percentage of all observed
traffic observed on all hosts generated by the associated protocol. This report also enables you to
provide detailed reports for the selected protocol. The Protocol Traffic Trend stacked area chart
provides average inbound or outbound traffic rates for all protocols observed for all hosts in the
selected traffic analysis task.
Application category reports for a host traffic analysis task include the Application Category List,
which provides a list of the application categories observed for all hosts in the selected host traffic
analysis task. This list includes total volume of traffic for the associated application categories, rate
of traffic, and the percentage of all observed traffic observed on all hosts generated by the
associated application category. This report also enables you to provide detailed reports for the
selected application category. The Application Category Traffic Trend stacked area chart provides
average inbound or outbound traffic rates for all applications observed for all hosts in the selected
As with all of the report types for a host task, NTA also provides you with a query option for filtering
reports based on criteria you define. To view the reports for a host traffic analysis task, click the
Application tab to view application reports for the selected host traffic analysis task, and set Query
Type to Application as described in "Query applications."
information on applications in NTA, see Managing applications. In this section we will explore
Query applications
settings for query type, application, or time range for the graphs and tables to customize the reports
displayed under the Application tab.
1.
in the upper right corner of the application report, and select
2.
Criteria to expand the query criteria setting section.
to the right of the Query
The page will display the report for Layer 4 through Layer 7 applications.
3.
ApplicationTo the right of the Application field, click the Select button to select the
application for which you want to search.
The Query Applications dialog box appears and an empty Application List appears in
the lower portion of the dialog box.
To select the application for which you want to search, you must first query the Application
List. To do so, perform the following steps:
a.
b.
246 Host monitoring
In the Query Applications section of the dialog box, enter one or more of the following
search criteria:

predefined; from the list, select No to filter for applications that are user-defined;
finally, to include system or predefined and user-defined applications, select Not
limited.
c.

section.
d.
e.
Click check the boxes next to the applications for which you want to search.
The applications you selected appear in the Application field.
f.
To the right of the Application field, click the Clear button to clear all selected applications.
time.
time.
4.
Click OK.
5.
a.
b.
c.

on the toolbar.
d.
e.

on the toolbar.
f.
g.
Adobe Acrobat (PDF)

Click Export.
Application list
The Application List provides a list of the applications observed for all hosts in the selected host
traffic analysis task for the selected time range. This list includes the application name, a link
for viewing the ports for all unknown applications, total volume of traffic for the associated
application, rate of traffic, and the percentage of traffic on all hosts generated by the associated
application. The application name in the Application field is a link to reports for the selected
application.

traffic rates for all applications observed for all hosts in the selected traffic analysis task for the
selected time range. If there is more than one host for the selected task, these statistics reflect traffic
for all hosts configured in a task.
Figure 149 Application Report: Application Traffic Trend - In/Out

NTA provides traffic trend statistics for the individual applications that were captured for the hosts
for a selected task. Individual application reports include the Application Traffic Trend report that
displays the average rate of traffic for the selected application and the TopN Application Usage
List that identifies which source and destination hosts contributed the greatest volume of traffic for
the selected application. Also included are reports for unknown TCP and UDP applications. Unknown
applications are those applications for which the layer 4 TCP or UDP port number has not been
assigned a name and is not included as an application in NTA. For more information about
assigning names to TCP or UDP ports and adding them as applications to NTA, see Managing
applications.
To view individual application reports for a host traffic analysis task, click the name in the Application
To view unknown application reports for a host traffic analysis task, click the icon
in the
Application field of the Application List report for the application for which you want to view this
report.
248 Host monitoring

captured for all hosts in the selected traffic analysis task. If there is more than one host for the
selected task, this chart reflects traffic for all hosts configured in a task.
period.
Figure 150 Application Report: Traffic Trend Report for an Individual Application

The TopN Application Usage List includes Source Host List In/Out and the Destination Host List
In/Out lists.
The Source Host List In/Out provides a list of the TopN source hosts measured by volume of traffic
captured for the hosts in the selected host traffic analysis task for the selected time range. This list
includes the source host IP address, total volume of traffic for the associated source and the
percentage of all observed traffic generated by the source. The host query icon
next to the
Source Host IP Address is a link for initiating a host query and a link to the results of the query.
by volume of traffic captured for the hosts in the selected host traffic analysis task for the selected
icon

The TopN Traffic Report for Unknown TCP/UDP Applications by Port provides the distribution of
application or protocol captured for the hosts in the selected traffic analysis task for the selected
time range. NTA enables you to change how the traffic is grouped.
1. From the Group By list in the upper right corner of the TopN Traffic Report for Unknown
TCP/UDP Applications by Port section of the page, select Port to group by port.
2. From the Group By list, select Source Host to group by source host.
3. From the Group By list, select Destination Host to group by destination host.
4. Click Back to return to the main Application report page.
Figure 152 Application Report: TopN Traffic Report for Unknown TCP/UDP Applications
TopN traffic list for unknown TCP/UDP applications by port

The TopN Traffic List for Unknown TCP/UDP Applications by Port provides a list of the TopN
unknown TCP or UDP applications measured by volume and rate of traffic captured for the hosts
in the selected host traffic analysis task for the selected time range. This list includes the TCP or
UDP port number, total volume of traffic, rate of traffic, and the percentage of all observed traffic.
250 Host monitoring
The port number is a link to individual reports for the selected port. The icon
in the Define
Application field is a link for adding the selected port as a layer 4 application to NTA. For more
information about managing applications in NTA, see Managing applications.
TopN traffic list for unknown TCP/UDP applications by source host

The TopN Traffic List for Unknown TCP/UDP Applications by Source Host provides a list of the TopN
unknown TCP or UDP applications measured by volume and rate of traffic captured for the hosts
in the selected host traffic analysis task for the selected time range. This list includes the source
host IP address, total volume of traffic for the associated source, rate of traffic, and the percentage
of all observed traffic generated by the source. The host query icon
a link for initiating a host query and a link to the results of the query.
next to the Source Host is
Figure 154 Application Report: TopN Traffic List for Unknown TCP/UDP Applications by Source
Host
TopN traffic list for unknown TCP/UDP applications by destination host

The TopN Traffic List for Unknown TCP/UDP Applications by Destination Host provides a list of the
TopN unknown TCP or UDP applications measured by volume and rate of traffic captured for the
hosts in the selected host traffic analysis task for the selected time range. This list includes the
destination host IP address, total volume of traffic for the associated destination, rate of traffic, and
next
to the Destination Host is a link for initiating a host query a link to the results of the query.
251
Figure 155 Application Report: TopN Traffic List for Unknown TCP/UDP Applications by Destination
Host

To view this report for a host traffic analysis task, click the link in the Port field of the Traffic Trend
Report for Unknown Applications by Port for the unknown TCP or UDP application you want to
view this report for.
The Traffic Trend graph provides the average rate for an individual unknown application captured
for the hosts in the selected traffic analysis task. Click Back to return to the all unknown application
report page.

To view this report for a host traffic analysis task, click the link in the Port field of the Traffic Trend
and destination host pairs, the volume of traffic sent and received between this source host and
the destination, the rate of traffic observed between the pair, and the percentage of all traffic
observed for this source host.
Figure 157 Application Report: TopN Traffic Details List for Unknown TCP/UDP Applications by
Port
252 Host monitoring
Protocol Reports
NTA. Protocol reports for a host traffic analysis task include the Protocol List, which provides a list
of protocols captured for the hosts in the selected host traffic analysis task. This report also enables
you to provide detailed reports for the selected protocol. The Protocol Traffic Trend stacked area
chart provides average inbound or outbound traffic rates for all protocol captured for the hosts in
the selected traffic analysis task. Protocol reports also include traffic lists and trend reports for
individual protocols.
As with all of the report types for a host traffic analysis task, NTA also provides you with a query
option for filtering reports based on criteria you define. To view the reports for a host traffic analysis
task, click the Application tab to view application reports for the selected host traffic analysis task,
and set Query Type to Protocol as described in "Query protocols." For more information on protocols
in NTA, see Managing protocols. This section explores the reports available for protocols.
Query protocols
enables you to change the filter criteria for protocol reports. You can change the default settings
for query type, protocol, or time range for the graphs and tables to customize the reports displayed
under the Application tab.
1.
2.
3.
Select Protocol from the Query Type list. The page will display the report for protocols.
the right of the Protocol field.
The Query Applications dialog box is displayed and an empty Protocol List is displayed
so:
a.
b.
c.
In the Query Protocols section of the dialog box, enter one or more of the following search
criteria:
ProtocolIn the Protocol field, enter a partial or complete name for the protocols for
which you want to search.
Pre-definedFrom the Pre-defined list, select Yes to search for protocols that are
predefined; from the list, select No to filter for protocols that are user-defined; finally,
select Not limited to include system, predefined, or user-defined protocols.
d.
e.
Click the checkboxes to the left of the protocols for which you want to search.
The protocols you selected appear in the Protocol field.
f.
Click Clear to clear all selected protocols.
time.
time.
Additionally, to set the start time and end time for the protocol report, you can click the
query criteria icon
to set the time range for the traffic report for protocols.
4.
Click OK.
5.
a.
b.
c.

on the toolbar.
d.
e.

on the toolbar.
f.
g.
Adobe Acrobat (PDF)

Click Export.
Protocol list
The Protocol List provides a list of the protocols captured for the hosts in the selected host traffic
for the associated protocol, rate of traffic, and the percentage of traffic on the host generated by
the associated protocol. The protocol name in the Protocol field is a link to reports for the selected
protocol.
254 Host monitoring
From the lower right side of the main pane, click 8, 15, 50, 100, or 200 to configure how many
rates for all protocols captured for the hosts in the selected traffic analysis task for the selected time
range.
Figure 159 Application Report: Protocol Traffic Trend - In/Out

NTA provides traffic trend statistics for the individual protocol that were captured for the hosts for
a selected task. Individual protocols reports include the Protocol Traffic Trend report that displays
the average rate of traffic for the selected protocol and include the TopN Protocol Usage List that
identifies which source and destination hosts contributed the greatest volume of traffic for the
selected protocol.
Protocol List report for the protocol for which you want to view this report. For more information
about Protocol List, see "Protocol list."
The Protocol Traffic Trend graph provides the average rate for an individual protocol captured for
the hosts in the selected traffic analysis task.
period.
Figure 160 Application Report: Traffic Trend Report for an Individual Protocol

The TopN Protocol Usage List includes the Source Host List In/Out and the Destination Host List
In/Out lists.
The Source Host List In/Out provides a list of the TopN source hosts measured by volume of traffic
captured for the hosts in the selected host traffic analysis task for the selected time range. This list
includes the source host IP address, total volume of traffic for the associated source and the
percentage of all observed traffic generated by the source. The host query icon
next to the
Source Host IP Address is a link for initiating a host query and a link to the results of the query.
The Destination Host List In/Out provides a list of the TopN destination hosts measured by volume
of traffic captured for the hosts in the selected host traffic analysis task for the selected time range.
This list includes the destination IP address, total volume of traffic for the associated destination
and the percentage of all observed traffic generated by the destination. The host query icon
next to the Destination Host IP Address is a link for initiating a host query and a link to the results
of the query.
Figure 161 Application Report: TopN Protocol Usage List - Destination Host List

in NTA. Application category reports for a host traffic analysis task include the Application Category
List, which provides a list of the application categories captured for the hosts in the selected host
traffic analysis task. This list includes total volume of traffic for the associated application categories,
rate of traffic, and the percentage of all traffic captured for the hosts. This report also enables you
to provide detailed reports for the selected application category. The Application Category Traffic
Trend stacked area chart provides average inbound or outbound traffic rates attributed to the
application categories captured for the hosts in the selected traffic analysis task. Application
category reports also include traffic lists and trend reports for the individual application categories.
As with all of the report types for a host traffic analysis task, NTA also provides you with a query
option for filtering reports based on criteria you define. To view the reports for a host traffic analysis
256 Host monitoring
task, click the Application tab to view application reports for the selected host traffic analysis task,
and set Query Type to Application Category as described in "Query application categories."
NTA provides many system-defined application categories and also supports user defined
application categories. For more information about application categories in NTA, see Managing
application categories. This section explores the reports available for application categories.
category reports. NTA enables you to change the filter criteria for application category reports.
You can change the default settings for query type, application category, or time range for the
graphs and tables to customize the reports displayed under the Application tab.
1.
2.
to the right of Query Criteria

3.
Application CategoryTo the right of the Application Category field, click the Select button
to select the application category for which you want to search.
The Query Applications dialog box appears and an empty Application Category List
appears in the lower portion of the dialog box.
To select the application categories you want to search for, you must first query the Application
Category List. To do so, perform the following steps:
a. Enter one or more of the following search criteria in the Query Application Categories
b.
c.
Application CategoryIn the Application Category field, enter a partial or complete

name of the application categories for which you want to search.
Pre-definedFrom the Pre-defined list, select Yes to search for application categories
that are predefined; select No to filter for application categories that are user-defined;
finally, select Not limited to include system or predefined and user-defined application
categories.
criteria.
The results of your query appear in the Application Category List below the Query
d.
e.
Click the checkboxes next to the application categories for which you want to search.
f.
Click Clear to clear all selected application categories.
time.
time.
in the upper right corner of the application category report.
On the list that appears, select Last 1 hour, Last 3 hours, Last 12 hours, Last 24 hours,
in the
query criteria area to set the time range for the traffic report for application categories.
4.
Click OK.
5.
a.
b.
c.

on the toolbar.
d.
e.

on the toolbar.
f.
g.
Adobe Acrobat (PDF)

Click Export.

The Application Category List provides a list of the application categories for which traffic was
observed for the hosts in the selected host traffic analysis task for the selected time range. This list
includes the application category name, total volume of traffic for the associated application
category, rate of traffic, and the percentage of traffic on the host generated by the associated
258 Host monitoring

The Application Category Traffic Trend In/Out stacked area chart provides average inbound/
outbound traffic rates for all application categories captured for the hosts in the selected traffic
analysis task for the selected time range.
Figure 163 Application Report: Application Category Traffic Trend - In/Out

NTA provides traffic trend statistics for the individual application categories that were captured
for the hosts for a selected task. Individual application categories reports include the Application
Category Traffic Trend report that displays the average rate of traffic for the selected application
category. Individual application category reports also include the TopN Application Category
Usage List that identifies the TopN source and destination hosts.
To view application category reports for a probe task, click the name in the Application Category
field of the Application Category List report for the application category for which you want to
view this report. For more information about Application Category List, see "Application category
list."
The Application Category Traffic Trend graph provides the average rate for an individual application
category captured for the hosts in the selected traffic analysis task. By default, this graph displays
period.
Figure 164 Application Report: Traffic Trend Report for an Individual Application Category

The TopN Application Category Usage List includes the Source Host List In/Out and the Destination
Host List In/Out lists.
The TopN Application Category Usage List - Source Host List provides a list of the TopN source
hosts measured by volume of traffic captured for the hosts in the selected host traffic analysis task
for the selected time range. This list includes the source host IP address, total volume of traffic for
the associated source and the percentage of all observed traffic generated by the source. The host
query icon
next to the Source Host IP Address is a link for initiating a host query and a link to
the results of the query.
The TopN Application Category Usage List - Destination Host List provides a list of the TopN
destination hosts measured by volume of traffic captured for the hosts in the selected host traffic
analysis task for the selected time range. This list includes the destination IP address, total volume
of traffic for the associated destination and the percentage of all observed traffic generated by the
destination. The host query icon
next to the Destination Host IP Address is a link for initiating
a host query and a link to the results of the query.
Figure 165 Application Report: TopN Application Category Usage List - Destination Host List
260 Host monitoring
Source reports
Source reports include inbound and outbound reports. The inbound report includes the TopN Traffic
Report for Source Host bar/pie chart. This bar chart displays the average rate of traffic sent from
the TopN source hosts to the hosts configured in the selected task. The pie chart displays the
distribution of traffic sent from the TopN source hosts to the hosts configured in the selected task.
The inbound report also include the TopN Traffic List for Source Host, which provides a list showing
volume and percentage of traffic generated for each of the TopN source hosts that sent traffic to
the hosts that configured in the selected task. The outbound report includes the TopN Traffic Report
for Source Host bar/pie chart.
This bar chart displays the average rate of traffic sent from the hosts configured in the selected
task to any other hosts. This pie chart displays the distribution of traffic sent from the hosts configured
in the selected task to any other hosts. The outbound report also includes the TopN Traffic List for
Source Host, which provides a list showing volume and percentage of traffic generated for each
of the TopN source hosts that configured in the selected task. These lists also contain a link for
navigating to reports for the selected source host.
The host query icon
next to the Source IP address is a link for initiating a host query and a link
to the results of the host query. As with all of the report types for a host task, NTA also provides a
query option for filtering reports based on criteria you define.
To view the reports for a host traffic analysis task, click the Source tab to view traffic reports for
the selected host traffic analysis task.
Query sources
icon
2.
in the query
3.

10.153.89.10

10.153.89.0/255.255.255.0

10.153.89.0/24

a001:410:0:1::1
261
a001:410:0:1::1/64
time.
time.
4.
Click OK.
5.
a.
b.
c.

on the toolbar.
d.
e.

on the toolbar.
f.
g.
Adobe Acrobat (PDF)

Click Export.

The TopN Traffic Report for Source Host In/Out bar chart displays the average rate of
inbound/outbound traffic for the TopN source hosts for the selected traffic analysis task for the
selected time range. The pie chart icon
Host In/Out data as a pie chart.
262 Host monitoring
is a link to display the TopN Traffic Report for Source
Figure 166 Source Report: TopN Traffic Report for Source Host - In/Out
The TopN Traffic Report for Source Host In/Out pie chart displays the distribution of
inbound/outbound traffic for the TopN source hosts for the selected traffic analysis task for the
selected time range. Each slice of the pie chart is a link to traffic reports for the selected host.
The TopN Traffic List for Source Host In/Out provides a list of the TopN source hosts measured
by volume of inbound/outbound traffic observed for the selected host traffic analysis task for the
selected time range. This list includes the source host IP address, total volume of traffic for the
associated source host, and the percentage of all observed traffic generated by the source host.
The IP address is a link to reports for the selected source host. The host query icon
next to the
Source IP address is a link for initiating a host query and a link to the results of the host query.
Figure 167 Source Report: TopN Traffic List for Source Host- In/Out

To view this report for a host traffic analysis task, click the slice of the pie chart on the TopN Traffic
Report for Source Host report for the source host you want to view statistics for. Or, click the IP
address for the source host you want to view statistics for from the TopN Traffic List for Source Host
list.
selected source host. By default, the Traffic Trend Report for Source Host chart displays statistics
period.
Click Back to return the main Source host report page.
Figure 168 Source Report: Traffic Trend Report for Source Host
Traffic details
list.
The Traffic Details for a source host table shows two lists. The TopN Destination Hosts Communicating
with the Source Host displays the TopN destination host IP addresses, the volume of traffic sent
and received between this source and the destination hosts, and the percentage of all traffic
observed for this source and the destination hosts.
Figure 169 Source Report: Source Host TopN Applications Communicating with Source Host
Destination reports
Destination reports include inbound and outbound reports. The inbound report includes the TopN
Traffic Report for Destination Host bar/pie chart. This bar chart displays the average rate of traffic
sent to the hosts configured in the task by any other hosts. The pie chart displays the distribution
of traffic sent to the hosts configured in the task by any other hosts.
The inbound report includes the TopN Traffic List for Destination Host, which provides a list showing
volume and percentage of traffic sent to each of the TopN destination hosts that configured in the
selected task by any other hosts. The outbound report also includes the TopN Traffic Report for
Destination Host bar/pie chart.
This bar chart displays the average rate of traffic sent to the TopN destination hosts by the hosts
configured in the task. This pie chart displays the distribution of traffic sent to the TopN destination
hosts by the hosts configured in the task.
264 Host monitoring
The outbound report also includes the TopN Traffic List for Destination Host, which provides a list
showing volume and percentage of traffic sent to each of the TopN destination hosts by the hosts
that configured in the selected task. These lists also contain a link to reports for the selected
destination host. The host query icon
next to the Destination IP address is a link for initiating a
host query and a link to the results of the host query. NTA also provides a query option for filtering
To view the reports for a host traffic analysis task, click the Destination tab to view traffic reports
for the selected host traffic analysis task.
Query destinations
Destination tab.
criteria icon
2.
in
the query criteria area to set the time range for the source report.
3.

Destination HostIn the Destination Host field, enter the IP address or address range. To
10.153.89.10

10.153.89.0/255.255.255.0

10.153.89.0/24

a001:410:0:1::1

a001:410:0:1::1/64
time.
time.
4.
Click OK.
5.
a.
b.
c.

on the toolbar.
d.
e.

on the toolbar.
f.
g.
Adobe Acrobat (PDF)

Click Export.

The TopN Traffic Report for Destination Host In/Out bar chart displays the average rate of
inbound/outbound traffic for TopN destination hosts for all hosts in the selected traffic analysis
task for the selected time range. The pie chart icon
for Destination Host In/Out data as a pie chart.
is a link to display the TopN Traffic Report
Figure 170 Destination Report: TopN Traffic Report for Destination Host In/Out
The TopN Traffic Report for Destination Host In/Out pie chart displays the distribution of
inbound/outbound traffic for TopN destination hosts for all hosts in the selected traffic analysis
task for the selected time range. Each slice of the pie chart is a link to traffic reports for the selected
host.
The TopN Traffic List for Destination Host In/Out provides a list of the TopN destination hosts
measured by volume of inbound/outbound traffic observed for all hosts in the selected host traffic
analysis task for the selected time range. This list includes the host IP address, total volume of traffic
266 Host monitoring
generated by the associated destination host, and the percentage of all observed traffic generated
by the destination host.
next to
the Destination IP address is a link for initiating a host query and a link to the results of the host
query.
Figure 171 Destination Report: TopN Traffic List for Destination Host - In

Report for Destination Host report for the destination host you want to view statistics for. Or, click
the IP address for the destination host you want to view statistics for from the TopN Traffic List for
period.
Traffic details
The Traffic Details for a destination host table shows two lists. The TopN Source Hosts Communicating
with the Destination Host displays the TopN source host IP addresses, the volume of traffic sent
and received between this destination host and the sources, and the percentage of all traffic
observed for this destination host and the source hosts.
Session reports
outbound reports. The inbound report includes the TopN Traffic Report for Session Host pie chart.
The pie chart displays the distribution of traffic generated by the TopN source/destination pairs
with destination hosts configured in the selected task.
The inbound report also includes TopN Traffic List for Session Host, which provides a list of TopN
session hosts measured by volume and percentage of traffic generated by the TopN
source/destination pairs with destination hosts configured in the selected task.
The outbound report also includes the TopN Traffic Report for Session Host pie chart. The pie chart
displays the distribution of traffic generated by the TopN source/destination pairs with source hosts
configured in the selected task. The outbound report includes TopN Traffic List for Session Host,
which provides a list of TopN session hosts measured by volume and percentage of traffic generated
by the TopN source/destination pairs with source hosts configured in the selected task.
These lists also contain a link to reports for the selected session host. The host query icon
next
to the Source Host IP address is a link for initiating a host query and a link to the results of the host
query. NTA also provides a query option for filtering reports based on criteria you define.
To view the reports for a host traffic analysis task, click the Session tab to view traffic reports for
the selected host traffic analysis task.
Query sessions
icon
2.
3.
in the query
10.153.89.10

10.153.89.0/255.255.255.0
268 Host monitoring

10.153.89.0/24

a001:410:0:1::1

a001:410:0:1::1/64
time.
time.
4.
Click OK.
5.
a.
b.
c.

on the toolbar.
d.
e.

on the toolbar.
f.
g.
Adobe Acrobat (PDF)

Click Export.

The TopN Traffic Report for Session Host In/Out pie chart displays the distribution of
inbound/outbound traffic for TopN source and destination session pairs for all hosts in the selected
for the select source and destination session pair.
Figure 174 Session Report: TopN Traffic Report for Session Host - In/Out

The TopN Traffic List for Session Host In/Out provides a list of the TopN session source and
destination pairs measured by volume of inbound/outbound traffic observed on all hosts in the
selected host traffic analysis task for the selected time range. This list includes the source and
destination host IP addresses, total volume of traffic generated by the source and destination session
pair, and the percentage of all observed traffic generated between the source and destination
session pair.
The Details icon
is a link for viewing reports for the selected session or source/destination pair.
The host query icon

next to the Source Host and Destination Host IP address fields is a link for
initiating a host query and a link to the results of the host query.
Figure 175 Destination Report: TopN Traffic Report for Session Host - In/Out

Report for Session Host report for the session pair you want to view statistics for. Or, click the
Details icon
period.
270 Host monitoring
Figure 176 Destination Report: Session Host Traffic Trend Report

Details icon
Figure 177 Destination Report: TopN Applications for Session Host
271
9 VPN monitoring
This chapter explains the NTAs VPN monitoring features. It provides an overview of how NTA
analyzes network flow data from the viewpoint of a VPN, and it describes the report structure for
VPN traffic analyses. It reviews configuration issues around VPN analysis tasks and the reports
they generate. It describes the process for adding VPN traffic analysis tasks, including step-by-step
instructions for adding, modifying, and deleting VPN tasks in NTA. Finally, it describes the summary
reports for all VPN tasks and the more detailed reports for an individual VPN traffic analysis task.
VPN traffic analysis overview

VPN traffic analysis tasks capture and analyze network flow data for VPNs. In general, the NTAs
VPN traffic analysis tasks provide traffic statistics for the VPNs configured in a VPN traffic analysis
task. The VPN traffic reports include rate of traffic for all VPNs in all tasks and for all VPNs in a
task. VPN statistics include traffic rate by application, source host, destination host, and a session
or source/destination host pair. These reports are organized into layers from summarized information
for all tasks to detailed reporting for specific VPNs configured for an individual VPN traffic analysis
task.
VPN traffic analysis reporting overview

Once you create the first VPN traffic analysis task, NTA will create an entry called
VPN Traffic
Click VPN Traffic Analysis Task on the left navigation tree to view the summary report for all VPN
to the right of
VPN Traffic Analysis Task.
The VPN Traffic Analysis Task shortcut menu appears to display all VPN traffic analysis tasks
created in NTA. Click the name link for a task to view the VPN traffic analysis report of the task.
The summary VPN traffic analysis report includes the following contents:
Average Rate (Last 1 Hour)Summarizes the average rate per second reporting for all VPNs
specified in all VPN traffic analysis tasks summarized by task. Each bar in the graph is a link
to more detailed reporting for the selected task, including reporting for traffic rates, application,
source, destination, and session statistics. Each of these detailed report types also include
several reports for the selected task:
TrafficReports found under the Traffic tab for VPN reporting include traffic trends that
display the average inbound and outbound rate per second and the individual data
samples for the VPNs for the selected task.
ApplicationReports found under the Application tab for VPN reporting include a tabular
report displaying percentage of application traffic generated by all VPNs in a task and
a graph displaying average rate of application traffic for all VPNs in the selected task.
SourceReports found under the Source tab for VPN reporting include inbound and
outbound reports. Both reports include a pie chart displaying the percentage of traffic
generated by the TopN source hosts and a table displaying volume and percentage of
traffic generated for each of the TopN source hosts for all VPNs in the selected task. The
contents of the pie chart link to more detailed reporting for the selected host.
DestinationReports found under the Destination tab for VPN reporting include inbound
and outbound reports. Both reports include a pie chart displaying the percentage of traffic
generated by the TopN destination hosts and a table displaying volume and percentage
272 VPN monitoring
of traffic generated for each of the TopN destination hosts for all VPNs in the selected
task. The contents of the pie chart link to more detailed reporting for the selected host.
SessionReports found under the Session tab for VPN reporting include inbound and
outbound reports. Both reports include a pie chart displaying the percentage of traffic
generated by the TopN source and destination host pairs and a table displaying volume
and percentage of traffic generated for each of the TopN source and destination host
pairs for all VPNs in the selected task. The contents of the pie chart link to more detailed
reporting for the selected host.
Traffic Trend and TopN Application for Selected Task (Last 1 Hour)Provides per second
average traffic rate summarized by VPN traffic analysis task for inbound and outbound traffic
for all VPNs for all tasks. A second set of pie charts reveals the distribution of traffic for the
TopN applications, with one chart each for inbound and outbound traffic.
VPN Flux Distribution in InterfacesCan contain multiple VPN instances, and each VPN
instance can contain multiple interfaces. The table displayed here displays the traffic statistics
for every VPN instance for all the interfaces of this task.
Interface Flux Distribution in VPNsDisplays the traffic information for every interface for all
VPN instances of this task.
Summary List (Last 1 Hour)Provides per second traffic rate of traffic statistics summarized
by VPN traffic analysis task for inbound and outbound traffic for all VPNs for all tasks.
VPN traffic analysis configuration considerations

Selecting which VPNs belong to each task is the most important consideration when you add VPNs
to a task. Also, you must consider the following:
By default, NTA does not monitor any VPNs. Therefore, to monitor VPNs, you must create a
task for every VPN or group of VPNs on which you want to monitor and report. If you do not
add a VPN to a task, NTA does not report on it.
NTA presents VPN traffic analysis in the NTAs left navigation system, and provides summarized
VPN reporting based on the way you organized tasks. You define how NTA groups VPNs
and presents them for viewing.
You are not limited to adding VPNs from a single device into one task. You can group one
or more VPNs from different devices into a single task.
Consider how you want to access and view VPN data, and then structure your tasks around
it. For example, if you want to view VPN traffic statistics by geography, group the VPNs into
tasks organized by location. You can create a single task for every device, and add all of the
VPNs from that device for which you want to view statistics into the task. Also, you can create
a task for every VPN if you need more detailed reporting for a VPN.
Add only those VPNs for which you want to view statistics. Do not add all of the VPNs on a
device unless you want to view reporting for all VPNs. Adding VPNs for which you dont want
to view statistics only clutters NTAs VPN navigation. This makes it more difficult for you to
find the VPN for which you want to view data.
When you add VPNs to a task, NTA will show you a list of all devices that NTA knows about.
The list is generated from the devices that have been added to NTA using the device
management feature. If the devices you want to select do not appear on this list, it is most
likely because the device has not been added to NTA or it has not been selected in the NTA
server configuration found under server management. For more information on adding a
device for traffic analysis to NTA, see Device management. For more information on selecting
devices in NTA server management, see Modifying an NTA server configuration.
You must enable network flow data on the devices for the VPNs you want to monitor and
report on.
VPN traffic analysis overview 273
Managing VPN traffic analysis tasks

section explores the step-by-step process for adding, modifying, or removing VPN traffic analysis
tasks in NTA.

NTA displays all traffic analysis tasks in the Traffic Analysis Task List. To view the NTAs Traffic
Analysis Task List:
2. Click the Traffic Analysis Task Management link located in the Settings area of the Traffic
Analysis and Audit page. NTA displays all tasks in the Traffic Analysis Task List displayed in
the main pane of the Task Management page.
Task list contents
3.
inter-business.
Baseline AnalysisDisplays when the baseline analysis feature is enabled in NTA


In the upper-left corner of the Traffic Analysis Task List, click the Refresh button to query NTA
for the most current Traffic Analysis Task List.
and Baseline Analysis fields.The column label to sort the list by the selected field. The column label
Viewing VPN traffic analysis task details

To view the details for a VPN traffic analysis task:
Management link.
page.
3.
In the Task Name field of the Traffic Analysis Task List, click the contents of the VPN Task Type
to view the details for an individual task.
Traffic Analysis Task Details page
274
ServerContains the server name or IP address of the NTA server.
VPN monitoring
4.
inter-business.
the reports generated by this traffic analysis task.
If the Enable Baseline Analysis field is not displayed, it is because the baseline analysis
feature is disabled on the NTA server. For more information on configuration options for
the NTA server, including the baseline analysis feature, see Configuring NTA traffic
VPN Instance ListIdentifies the VPNs and their IP addresses, VPN IDs, and descriptions
configured for this traffic analysis task.
Adding a VPN traffic analysis task

To add a VPN traffic analysis task:
Management link.
page.
3.
Click Add.
4.
5.
To add a VPN traffic analysis task, select the option next to VPN in the Select Task Type section.
Click Next.
6.
In the Task Name field, enter a name for this task.

Therefore, assign descriptive and useful names to a task that help you to navigate quickly and
easily to reports.
7.
8.
In the Task Description field, enter a description for this task.

9.
access to the analysis and reports provided by this host task.
every operator group for which you want to grant access.
b. To select all operator groups, select the checkbox for all boxes in the upper-left corner of
the column label field.
Managing VPN traffic analysis tasks 275
reports generated by this task; select Disable to disable the baseline analysis feature.
parameters.
You can configure a VPN traffic analysis task to include traffic from one or more VPNs defined
by the VPN ID. You must have at least one VPN defined.
NOTE: For considerations on how to organize VPNs into tasks, see VPN traffic analysis
11. At the top of the VPN Instance List, click the Add button to add a VPN.
The VPN Instance Set dialog box appears.
a. From the Device Name list, select the device on which the VPN is configured.
management. Then the device must been selected in the NTA server configuration found
under server management. For more information on adding a device for traffic analysis
to NTA, see Device management. For more information on selecting devices in NTA
to add must be configured to forward NetStream, NetFlow or sFlow traffic to NTA as the
traffic collector or collection server.
b.
c.
d.
e.
In the VPN ID field, enter the VPN ID.

In the Description field, enter a description for this VPN.
Click OK to add the VPN to the VPN list for the VPN traffic analysis task.
Repeat this step for every VPN you want to add to the VPN traffic analysis task.
12. Click OK to create the VPN traffic analysis task.

Once you create a VPN traffic analysis task, NTA will create an entry called
VPN Traffic
Analysis Task on the left navigation tree. Click the entry to view the summary report for the VPN
to the right of
VPN Traffic Analysis Task.
The VPN Traffic Analysis Task shortcut menu appears to display all VPN traffic analysis tasks created
in NTA. Click the name link for a task to view the VPN traffic analysis report of the task.
For information about accessing and viewing VPN traffic analysis reports, see Viewing VPN traffic
analysis reports.
Modifying a VPN traffic analysis task

To modify a VPN traffic analysis task:
2. Click the Traffic Analysis Task Management link located in the Settings area of the Traffic
Analysis and Audit page. NTA displays all tasks in the Traffic Analysis Task List displayed in
the main pane of the Task Management page.
3.
276 VPN monitoring
4.
Modify the name for this task in the Task Name field as needed. The task name must be unique.
descriptive and meaningful names to help you navigate quickly and easily to reports.
5.
6.
7.
To add a new operator groups that will have access to the analysis and reports provided by
this host task, click the Select button next to the Reader field.
every operator group to which you want to grant access.
b. To select all operator groups, click the checkbox in the upper left corner of the column
label field for all boxes.
d.
e.
f.
To revoke operator group access to the results of this traffic analysis task, highlight the
groups in the Reader field you want to remove.
Click Delete.
The Reader reflects the deleted operator group changes.
8.
reports generated by this task; to disable the baseline analysis feature, select Disable.
parameters.
9.
To add a VPN, click the Add button located at the top of the VPN Instance List. You must have
at least one VPN instance defined. The VPN Instance Set dialog box is displayed.
a. Select the device on which the VPN is configured from the Device Name list.
management. Then the device must be selected in the NTA server configuration found
under server management. For more information on adding a device for traffic analysis
to NTA, see Device management. For more information on selecting devices in NTA
to add must be configured to forward NetStream, NetFlow, or sFlow traffic to NTA as
the traffic collector or collection server.
b.
c.
d.
e.
Enter the VPN ID in the VPN ID field.

Enter a description for this VPN in the Description field.
Click OK to add the VPN to the VPN list for the VPN traffic analysis task
Repeat this step for every VPN you want to add to the VPN traffic analysis task.
Managing VPN traffic analysis tasks 277
NOTE: For considerations on how to organize VPNs into tasks, see VPN traffic analysis
f.
To remove a VPN from the VPN list and task, click the Delete icon
want to delete.
for the VPN you
10. Click OK to accept your modifications to the VPN traffic analysis task.
Deleting a VPN traffic analysis task

To delete a VPN traffic analysis task:
Management link.
Management page.
3.
4.

Click OK to confirm the deletion of the selected VPN traffic analysis task.
Viewing VPN traffic analysis reports

summarized reporting for all tasks of the same type whether the task type is interface, VLAN,
application, probe, host, VPN, or inter-business..To view summarized reporting for all VPN tasks,
click the
VPN Traffic Analysis Task entry of the left navigation tree.
NTA also provides more granular reporting for individual tasks, including reports for every VPN
configured in a VPN traffic analysis task. NTA groups individual tasks by type. All VPN tasks can
be found on the VPN Traffic menu.
To view the VPN Traffic Analysis Task shortcut menu, move your mouse pointer to the shortcut menu
icon
to the right of
VPN Traffic Analysis Task. The shortcut menu displays all VPN traffic
analysis tasks created in NTA. Click the name link for a task to view the VPN traffic analysis report
of the task.
This section explores the reporting options available for VPN traffic analysis tasks, including a
review of process for navigating to VPN traffic analysis tasks, a review of the summary reports
available for VPN tasks, and a review of the reports and features available for an individual VPN
Navigating to the VPN traffic analysis reports

To navigate to VPN traffic reports:
2.
entry to view summary reporting for all VPN tasks.
VPN Traffic
3.
to
the right of
VPN Traffic Analysis Task. The VPN Traffic Analysis Task shortcut menu appears
to display all VPN traffic analysis tasks created in NTA. Click the name link for a task to view
the VPN traffic analysis report of the task.
278 VPN monitoring
Summary reports for all VPN tasks

VPN Traffic Analysis Task entry of the left navigation tree under
reports for an individual task. This section reviews the summarized reports and the features found
in them.

The Average Rate (Last 1 Hour) bar graph summarizes traffic rates for all VPNs in every VPN traffic
analysis task, grouped by VPN traffic analysis task for the last hour. You can access this graph by
clicking the
VPN Traffic entry of the left navigation tree at the top of the page. The bars in the
graph link to the reports for the selected task.
Figure 178 Summary Report: Average rate (Last 1 hour)
The Traffic Trend In line chart provides inbound traffic trend rates for all VPN traffic analysis tasks
for the last hour.
The Traffic Trend Out line chart provides outbound traffic rates for all VPN traffic analysis tasks
for the last hour.
The TopN Application In pie chart displays the distribution of traffic for the TopN applications
for all VPN traffic analysis tasks for the last hour. The sections in the pie chart serve as a link for
navigating to the reports for the selected application.
The TopN Applications Out pie chart displays the distribution of traffic for the TopN applications
for the selected VPN task for the last hour. The sections in the pie chart serve as a link for navigating
to the reports for the selected application.
Viewing VPN traffic analysis reports 279
Figure 179 Summary Report: TopN Application for Selected Task
All VPN tasks are graphed on these charts until you specify a task.
1. In the upper-right corner of the Traffic Trend and TopN Application for Selected Task title bar,
click the Select Task link to select the task.
2.
3.
Click the checkbox to the left of the host task for which you want to view this report.
Click OK.
The page displays the Traffic Trend In, Traffic Trend Out, TopN Application In, and TopN
Application Out reports for the selected task.
VPN flux distribution in interfaces

The VPN Flux Distribution In Interfaces table provides the total volume of inbound and outbound
traffic for all interfaces in all VPNs.
Figure 180 Summary Report: VPN Flux Distribution in Interfaces
Interface flux distribution in VPNs

The Interface Flux Distribution In VPNs table provides the total volume of inbound and outbound
traffic for all VPNs grouped by interface.
Figure 181 Summary Report: VPN Flux Distribution in VPNs
280 VPN monitoring

The Summary List provides inbound and outbound traffic rates statistics summarized by VPN task
for the last hour.
Summary List Contents
Task NameContains the name of the VPN traffic analysis task. The contents of this field link
to reports for associated task.
Total RateProvides the combined inbound and outbound traffic for all VPNs configured for
the associated task.
In RateProvides the rate of inbound traffic for all VPNs configured for the associated task.
Out RateProvides the rate of outbound traffic for all VPNs configured for the associated
task.
Traffic Log AuditContains the

Traffic Log Audit icon. The icon is a link to the Traffic Log
Audit result page.
The Add button at the top of the Summary List provides a shortcut to the Add Traffic Analysis
Task page. For more information on adding VPN traffic analysis tasks, see Adding a VPN
1.
2.
3.
a.
b.
c.

on the toolbar.
d.
e.

on the toolbar.
f.
g.
Adobe Acrobat (PDF)
Select the desired page range from Page Range.

Click Export.
Granular reports for a VPN traffic analysis task

In addition to summary reporting for all tasks, NTA provides a suite of reports for viewing VPN
data from different perspectives. Reports for VPNs are organized into five reporting groups: traffic,
application, source, destination, and session.
Traffic reports for VPN tasks provide overall traffic trends and statistics, including details for the
selected task for the selected time range.
Application reports include the average traffic rate trend for the last hour by default though
operators can configure the time range. Application reports also enable you to get the details
281
for unknown applications if the unknown application traffic analysis parameter is enabled in
the parameter management.
Source reports include the TopN source hosts chart and list for all VPNs in a task for the
selected time range.
Destination reports include the TopN source hosts chart and list for all VPNs in a task for the
Session reports include the TopN session hosts chart and list for all VPNs in a task for the
Source, destination, and session reports enable you to get detailed traffic reports for an individual
host and session.
Traffic reports
Traffic reports for VPN tasks provide overall traffic statistics for all VPNs configured in a VPN traffic
analysis task. Traffic reports for a VPN traffic analysis task include the Traffic Trendline chart that
provides inbound and outbound traffic rates for all VPNs in the selected traffic analysis task. This
chart also provides average, minimum average, maximum average, and total traffic volume statistics
in a tabular format for both inbound and outbound traffic for the associated task. The traffic reports
include the Traffic Details List that provides you with the data collection samples that includes
timestamp, total volume of traffic and traffic rate in seconds. You can filter reports by time range.
To view the reports for a VPN task, click the Traffic tab to view traffic reports for the selected VPN
Query traffic
NTA enables you to change the filter criteria for VPN traffic reports. You can change the default
settings for the time range for the graphs and tables to customize the reports displayed under the
Traffic tab.
icon
2.
in the query
To customize the time range for the traffic report, select Customfrom the list that appears in
a.
end time.
b.
Click OK.
282 VPN monitoring
3.
a.
b.
c.

on the toolbar.
d.
e.

on the toolbar.
f.
g.
Adobe Acrobat (PDF)

Click Export.
Traffic trend average

The Traffic Trend combination chartprovides average rate statistics for both inbound and outbound
traffic for all VPNs in the selected traffic analysis task. This chart also provides average, minimum
average, maximum average, and total traffic volume statistics in a tabular format for both inbound
and outbound traffic for all VPNs in the associated task for the selected time range. If there is more
than one VPN for the selected task, these statistics will reflect traffic for all VPNs configured in a
task.
green line is the baseline and the red area is the average traffic rate. For more information on
configuring the baseline analysis feature for the VPN traffic analysis task, see Adding a VPN
1. To view data for an earlier period, click the Previous button located in the upper right corner
2. To view data for a later period, click the Next button located in the upper right corner of the
Traffic trend peak rate
contains four lines: Max. In Peak Rate, Min. In Peak Rate, Max. Out Peak Rate, and Min. Out Peak
Rate.
displays the Max./Min. In Peak Rate chart and Max./Min. Out Peak Rate chart under the Traffic
Trend chart. For more information on configuring the baseline analysis feature for the VPN traffic
analysis task, see Adding a VPN traffic analysis task.
284 VPN monitoring
parameters.
TopN traffic list for ToS/MPLS exp
If you have enabled the ToS/MPLS Exp Traffic Analysis feature, NTA displays the TopN Traffic List
for ToS/MPLS Exp tabular list. The TopN Traffic List for ToS/MPLS Exp provides administrators with
a tabular view of total traffic volume and percentage of total traffic volume grouped by ToS or
MPLS Exp for both inbound and outbound traffic for the selected time range for a VPN traffic
analysis task.
Figure 186 Traffic Report: TopN Traffic List for ToS/MPLS Exp
For more information on enabling ToS/MPLS Exp Traffic Analysis, see Configuring NTA traffic
Traffic details
time range. This report includes timestamp, total volume of traffic and traffic rate in seconds for
both inbound and outbound traffic.
Application reports
category for all VPNs in a task. These reports enable you to get the details for an individual
application. Application reports for a VPN traffic analysis task include the Application List, which
provides a list of applications observed for all VPNs in the selected VPN traffic analysis task. This
list includes total volume of traffic for the associated application, rate of traffic, and the percentage
of all observed traffic observed on all VPNs generated by the associated application. This report
also enables you to get the details for additional reports for the selected application. The Application
Traffic Trend stacked area chart provides average inbound and outbound traffic rates for all
applications observed for all VPNs in the selected traffic analysis task.
Protocol reports for a VPN traffic analysis task include the Protocol List, which provides a list of
protocols observed for all VPNs in the selected VPN traffic analysis task. This list includes total
volume of traffic for the associated protocol, rate of traffic, and the percentage of all observed
traffic observed on all VPNs generated by the associated protocol. This report also enables you
to get the details for additional reports for the selected protocol. The Protocol Traffic Trend stacked
area chart provides average inbound and outbound traffic rates for all protocols observed for all
VPNs in the selected traffic analysis task.
Application category reports for a VPN traffic analysis task include the Application Category List,
which provides a list of the application categories observed for all VPNs in the selected VPN traffic
analysis task. This list includes total volume of traffic for the associated application categories, rate
of traffic, and the percentage of all observed traffic observed on all VPN generated by the associated
application category. This report also enables you to get the details for additional reports for the
selected application category. The Application Category Traffic Trend stacked area chart provides
average inbound and outbound traffic rates for all applications observed for all VPNs in the selected
As with all of the report types for a VPN task, NTA also provides you with a query option for
filtering reports based on criteria you define. To view the reports for a VPN task, click the Application
tab to view traffic reports for the selected VPN traffic analysis task, and set Query Type to Application
as described in "Query applications."
information on applications in NTA, see "Managing applications." In this section we will explore
Query applications
settings for query type, application, direction, or time range for the graphs and tables to customize
1.
286 VPN monitoring
2.
3.
Select Application from the Query Type list. The page will display the report for Layer 4 through
Layer 7 applications.
Enter or select the other query criteria::
ApplicationTo select the application you want to search for, click the Select button next
to the Application field. Click the Clear button to clear all selected applications. The Query
Applications dialog box displays an empty Application List in the lower portion of the
dialog box.
To select the applications you want to search for, you must first query the Application List.
To do so:
a.
b.
c.
In the Query Applications section of the dialog box, enter one or more of the following
search criteria:
pre-defined; from the list, select No, to filter for applications that are user-defined;
select Not limited to include system or pre-defined and user-defined applications.
section.
d.
e.
Click the check boxes to the left of the applications for which you want to search.
The applications you selected appear in the Application field.
time.
time.
Additionally, to set the start time and end time for the application report, you can click the
query criteria icon
in the upper right corner of the application report. On the list that
appears, select Last 1 hour, Last 3 hours, Last 12 hours, Last 24 hours, Last 7 days, Last 30
days, Last 3 months, or Custom. Click the Query icon
in the query criteria area to set the
time range for the traffic report for Layer 4 through Layer 7 applications.
4.
Click OK.
5.
a.
b.
c.

on the toolbar.
d.
e.

on the toolbar.
f.
g.
Adobe Acrobat (PDF)

Click Export.
Application list
The Application List provides a list of applications observed for all VPNs in the selected VPN traffic
analysis task for the selected time range. This list includes the name of the application, a link
for viewing the ports for all unknown applications, the total volume of traffic for the associated
application, the rate of traffic, and the percentage of all observed traffic observed on all VPNs
generated by the associated application. The application name in the Application field is a link to
reports for the selected application.
Application trend
traffic rates for all applications observed for all VPNs in the selected traffic analysis task for the
selected time range. If there is more than one VPN for the selected task, these statistics reflect traffic
for all VPNs configured in a task.
288 VPN monitoring
Figure 189 Application Report: Application Traffic Trend In/Out

NTA provides traffic trend statistics for the individual applications that were observed on the VPNs
for a selected task. Individual application reports include the Application Traffic Trend report that
displays the average rate of traffic for the selected application. Individual application reports also
include the TopN Application Usage List for source and destination hosts, which identifies which
source and destination contributed the greatest volume of traffic for the selected application. Also
included are reports for unknown TCP and UDP applications.
Unknown applications are those applications for which the layer 4 TCP or UDP port number has
not been assigned a name and is not included as an application in NTA. For more information
on assigning names to TCP or UDP ports and adding them as applications to NTA, see Managing
applications.
To view individual application reports for a host traffic analysis task, click the name in the Application
To view unknown application reports for a host traffic analysis task, click the icon
in the
Application field of the Application List report for the application for which you want to view this
report.
The Application Traffic Trend In/Out graph provides average rate of traffic for an individual
application for all VPNs in the selected traffic analysis task. If there is more than one VPN for the
selected task, this chart reflects traffic for all VPNs configured in a task.
By default, the Application Traffic Trend In/Out report graph displays statistics for the previous
hour.
of the chart.
chart.
Figure 190 Application Report: Traffic Trend Report for an Individual Application

The TopN Application Usage List includes the Source Host List In/Out and the Destination Host
List In/Out lists.
of traffic observed on all VPNs in the selected VPN traffic analysis task for the selected time range.
This list includes the source host IP address, total volume of traffic for the associated source and
the percentage of all observed traffic generated by the source. The host query icon
next to the
Source Host IP Address serves as a link for initiating a host query as well as a link for navigating
to the results of the query.
by volume of traffic observed on all VPNs in the selected VPN traffic analysis task for the selected
icon
290 VPN monitoring

The TopN Traffic Report for Unknown TCP/UDP Applications by Port In/Out provides the
distribution of traffic by TCP or UDP port number for all application traffic that cannot be attributed
to an application or protocol for all VPNs in the selected traffic analysis task for the selected time
range. NTA enables you to change how the traffic is grouped.
To group by port, select Port from the Group By list located in the upper right corner of the
TopN Traffic Report for Unknown TCP/UDP Applications by Port section of the page.
To group by source host, select Source Host from the Group By list.
To group by destination host, select Destination Host from the Group By list. Click Back to
return to the main Application report page.
Figure 192 Application Report: TopN Traffic Report for Unknown TCP/UDP Applications by Port
In/Out
TopN traffic list for unknown TCP/UDP by port

The TopN Traffic List for Unknown TCP/UDP Applications by Port provides you with a list of the
TopN unknown TCP or UDP applications measured by volume and rate of traffic observed on all
291
VPNs in the selected VPN traffic analysis task for the selected time range. This list includes the TCP
or UDP port number, total volume of traffic for the associated source, rate of traffic, and the
percentage of all observed traffic generated by the source. The port number serves as a link for
navigating to individual reports for the selected port. The icon
in the Define Application field
serves as a link for adding the selected port as a layer 4 application to NTA. For more information
on managing applications in NTA, see "Managing applications."

To view this report for a VPN traffic analysis task, click the link in the Port field of the Traffic Trend
The Traffic Trend graph provides the average rate for an individual unknown application for all
VPNs in the selected traffic analysis task. If there is more than one VPN for the selected task, this
chart will reflect traffic for all VPNs configured in a task.

To view this report for a VPN traffic analysis task, click the link in the Port field of the Traffic Trend
and destination host pairs, the volume of traffic sent and received between the source and destination
hosts, the rate of traffic observed between the pair, and the percentage of all traffic observed for
the source and destination hosts.
292 VPN monitoring
Figure 195 Application Report: TopN Traffic Details List for Unknown TCP/UDP Applications by
Port
Protocol reports
NTA. Protocol reports for a VPN traffic analysis task include the Protocol List, which provides you
with a list of protocols observed for all VPNs in the selected VPN traffic analysis task. This report
also provides drilldown capabilities for additional reports for the selected protocol. The Protocol
Traffic Trend stacked area chart provides average inbound traffic rates for all protocols observed
for all VPNs in the selected traffic analysis task. Protocol reports also include traffic lists and trend
reports for individual protocols.
As with all of the report types for a VPN traffic analysis task, NTA also provides you with a query
option for filtering reports based on criteria you define. To view the reports for a VPN traffic analysis
task, click the Application tab to view application reports for the selected VPN traffic analysis task,
andset Query Type to Protocol as described in Query protocols.
For more information on protocols in NTA, see Managing protocols. This section explores the
reports available for protocols.
Query protocols
enables you to change the filter criteria for application reports. You can change the default settings
for query type, protocol, direction, or time range for the graphs and tables to customize the reports
displayed under the Application tab.
1.
2.
The page will display the report for protocols.

3.
the right of the Application field.
The Query Applications dialog box is displayed and an empty Protocol List is displayed
in the lower portion of the dialog box. To select the protocol you want to search for, you
must first query the Protocol List. To do so:
To select the protocols you want to search for, you must first query the Protocol List. To do so:
a. Enter one or more of the following search criteria in the Query Protocols section of the
dialog box:
b.
c.

The results of your query are displayed in the Protocol List below the Query Protocols
section.
d.
e.
Click the check boxes to the left of the applications for which you want to search.
Click Clear to clear all selected protocols.
Start TimeTo auto populate this field, click the calendar icon
. A popup calendar
is displayed. Select the start date from the calendar. Adjust the hour value in the Start
Time field.
End TimeTo auto populate this field, click the calendar icon
. A popup calendar
is displayed. Select the end date from the calendar. Adjust the hour value in the End Time
field.
Additionally, to set the start time and end time for the protocol report, you can click the query
criteria icon
in the upper right corner of the application report. On the list that appears,
select Last 1 hour, Last 3 hours, Last 12 hours, Last 24 hours, Last 7 days, Last 30 days, Last
3 months, or Custom. Click the Query icon
for the traffic report for protocols.
4.
in the query criteria area to set the time range
Click OK.
5.
Click the Export button to view reports using the IMCs Intelligent Analysis Report Viewer and
a.
b.
c.

on the toolbar.
d.
e.

on the toolbar.
f.
g.
Adobe Acrobat (PDF)

Click Export.
Protocol list
The Protocol List provides a list of the protocols observed for all VPNs in the selected VPN traffic
for the associated protocol, rate of traffic, and the percentage of traffic on all VPNs generated by
the associated protocol. The protocol name in the Protocol field is a link to reports for the selected
protocol.
294 VPN monitoring
rates for all protocols observed for all VPNs in the selected traffic analysis task for the selected
time range. If there is more than one VPN for the selected task, these statistics reflects traffic for all
VPNs configured in a task.
Figure 197 Application Report: Protocol Traffic Trend In/Out

NTA provides traffic trend statistics for the individual protocol that were observed on the VPNs for
a selected task. Individual protocol reports include the Protocol Traffic Trend report that displays
the average rate of traffic for the selected protocol. Individual protocol reports also include the
TopN Protocol Usage List for source and destination hosts, which identifies which source and
destination hosts contributed the greatest volume of traffic for the selected protocol.
Protocol Listreport for the protocol for which you want to view this report. For more information
about Protocol List, see Protocol list.
The Protocol Traffic Trend In/Out graph provides average rate of traffic for an individual protocol
for all VPNs in the selected traffic analysis task. If there is more than one VPN for the selected task,
this chart reflects traffic for all VPNs configured in a task.
of the chart.
chart.
Figure 198 Application Report: Traffic Trend Report for an Individual Protocol In/Out

The TopN Protocol Usage List includes the Source Host List In/Out and the Destination Host List
In/Out lists.
next to the
icon
Figure 199 Application Report: TopN Protocol Usage List - Destination Host List
296 VPN monitoring

in NTA. Application category reports for a VPN traffic analysis task include the Application Category
List, which provides a list of the application categories observed for all VPNs in the selected VPN
traffic analysis task. This list includes total volume of traffic for the associated application categories,
rate of traffic, and the percentage of all observed traffic observed on all VPNs generated by the
associated application category. This report also provides drilldown capabilities for additional
reports for the selected application category. The Application Category Traffic Trend stacked area
chart provides average inbound traffic rates for all applications observed for all VPNs in the selected
traffic analysis task. Application category reports also include traffic lists and trend reports for the
individual application categories.
As with all of the report types for a VPN traffic analysis task, NTA also provides you with a query
option for filtering reports based on criteria you define. To view the reports for a VPN traffic analysis
task, click the Application tab to view application reports for the selected VPN traffic analysis task,
and set Query Type to Application Category as described in Query application categories.
NTA provides many system defined application categories and also supports user defined
application categories. For more information on application categories in NTA, see Managing
application categories. This section explores the reports available for application categories.
category reports.
NTA enables you to change the filter criteria for application reports. ou can change the default
settings for query type, application category, or time range for the graphs and tables to customize
1.
2.
The page will display the report for application categories.

3.
the Select button located to the right of the Application Category field.
The Query Applications dialog box is displayed and an empty Application Category List is
displayed in the lower portion of the dialog box. To select the application categories you want
to search for, you must first query the Application Category List. To do so:
a. Enter one or more of the following search criteria in the Query Application Categories
b.
c.

select No from the list. To include system or predefined as well as user-defined
application categories, select Not limited.
criteria.
The results of your query appear in the Application Category List below the Query
d.
e.
Click the boxes next to the left of the application categories for which you want to search.
Click the Clear button located to the right of the Application Category field to clear all
selected application categories.
time.
time.
Additionally, to set the start time and end time for the application category report, you can
click the query criteria icon
in the upper right corner of the application category report.
On the list that appears, select Last 1 hour, Last 3 hours, Last 12 hours, Last 24 hours, Last 7
days, Last 30 days, Last 3 months, or Custom. Click the Query icon
area to set the time range for the traffic report for application categories.
4.
Click OK.

The Application Category List provides you with a list of the application categories observed for
all VPNs in the selected VPN traffic analysis task for the selected time range. This list includes the
application category name, the inbound/outbound traffic, and the inbound/outbound rate on all
VPNs generated by the associated application category. The application category name in the
Application Category field serves as a link for navigating to reports for the selected application
category.
inbound/outbound traffic rates for all application categories observed for all VPNs in the selected
traffic analysis task for the selected time range. If there is more than one VPN for the selected task,
these statistics will reflect traffic for all VPNs configured in a task.
298 VPN monitoring
Figure 201 Application Report: Application Category Traffic Trend In/Out

NTA provides traffic trend statistics for the individual protocol categories that were observed on
the interfaces for a selected task. Individual protocol category reports include the Application
Category Traffic Trend report that displays the average rate of traffic for the selected application
category. Individual application category reports also include the TopN Application Category
Usage List that identifies the TopN source and destination hosts.
To view application category reports for an interface task or for a single interface in an interface
task, click the name in the Application Category field of the Application Category List report for the
application category for which you want to view this report. For more information about Application
Category List, see Application category list.
The Application Category Traffic Trend graph provides average rate of traffic for an individual
application category for all VPNs in the selected traffic analysis task. If there is more than one VPN
for the selected task, this chart will reflect traffic for all VPNs configured in a task. By default, this
graph displays statistics for the previous hour.
of the chart.
chart.
Figure 202 Application Report: Application Category Traffic Trend Report for an Individual
Application Category

The TopN Application Category Usage List includes the Source Host List In/Out and Destination
Host List In/Out lists.
next to the
icon
Figure 203 Application Report: TopN Application Category Usage List - Destination Host List
Source reports
Source reports include inbound and outbound reports. Both reports include a TopN Traffic Report
for Source Host pie chart. The pie chart displays the distribution of traffic that generated by the
TopN source hosts for all VPNs in the selected traffic analysis task. Both reports also include the
TopN Traffic List for Source Host, which provides you with a list of the TopN source hosts measured
by volume of traffic observed on all VPNs in the selected VPN traffic analysis task. The pie chart
contains a link for navigating to traffic reports for the selected host. The list also contains a link for
navigating to reports for the selected source host. The host query icon
next to the Source IP
address serves as a link for initiating a host query and the results of the host query. As with all of
the report types for a VPN task, NTA also provides you with a query option for filtering reports
based on criteria you define.
To view the reports for a VPN traffic analysis task, click the Source tab to view traffic reports for
the selected VPN traffic analysis task.
300 VPN monitoring
Query sources
for source host, traffic direction, or time range to customize the charts and lists displayed under
the Source tab.
icon
2.
in the query
To customize the time range for the source report, select Customfrom the list that appears in
3.

Source HostIn the Source Host field, enter the IP address or address range.
10.153.89.10

10.153.89.0/255.255.255.0

10.153.89.0/24

a001:410:0:1::1

a001:410:0:1::1/64
time.
time.
4.
Click OK.
5.
a.
b.
c.

on the toolbar.
d.
e.

on the toolbar.
f.
g.
Adobe Acrobat (PDF)

Click Export.

inbound/outbound traffic in a certain period of time in a selected VPN traffic analysis task. Click
a bar for a source host in the chart to view the traffic analysis report of the source host.
distribution of inbound/outbound traffic of the TopN source hosts for all VPNs in the selected traffic
analysis task for the selected time range. Each slice of the pie chart serves as a link for navigating
to traffic reports for the selected host.
Figure 204 Source Report: TopN Traffic Report for Source Host In/Out
302 VPN monitoring

The TopN Traffic List for Source Host In/Out provides you with a list of the TopN source hosts
measured by volume of inbound/outbound traffic observed on all VPNs in the selected VPN traffic
analysis task for the selected time range. This list includes the source host IP address, total volume
of traffic for the associated source host, the percentage of all observed traffic generated by the
source host. The IP address serves as a link for navigating to reports for the selected source host.
The host query icon
next to the Source IP address serves as a link for initiating a host query as
well as a link for navigating to the results of the host query.
Figure 205 Source Report: TopN Traffic List for Source Host In/Out

To view this report for a VPN traffic analysis task, click the bar of the bar chart on the TopN Traffic
list.
of the chart.
chart.
Figure 206 Source Report: Traffic Trend Report for Source Host
Traffic details for source host

To view this report for a VPN traffic analysis task, click the bar of the bar chart on the TopN Traffic
list.
The Traffic Details for a source host table provides you with two lists. The TopN Destination Hosts
of traffic sent and received between this source and destination hosts, and the percentage of all
traffic observed for this source and destination hosts.
Figure 207 Source Report: TopN Destination Hosts Communicating with the Source Host
Destination reports
Destination reports include inbound and outbound reports. Both reports include a TopN Traffic
Report for Destination Host pie chart. The pie chart displays the distribution of traffic that generated
by the TopN destination hosts for all VPNs in the selected traffic analysis task. Both reports also
include the TopN Traffic List for Destination Host, which provides you with a list of the TopN
destination hosts measured by volume of traffic observed on all VPNs in the selected VPN traffic
analysis task. The pie chart contains a link for navigating to traffic reports for the selected host.
The list also contains a link for navigating to reports for the selected destination host. The host
query icon
next to the Destination IP address serves as a link for initiating a host query and
the results of the host query. As with all of the report types for a VPN task, NTA also provides you
with a query option for filtering reports based on criteria you define.
To view the reports for a VPN traffic analysis task, click the Destination tab to view traffic reports
for the selected VPN traffic analysis task.
Query destinations
Destination tab.
criteria icon
2.
in
To customize the time range for the destination report, select Customfrom the list that appears
304 VPN monitoring
3.
Destination HostIn the Destination Host field, enter the IP address or address range.
10.153.89.10

10.153.89.0/255.255.255.0

10.153.89.0/24

a001:410:0:1::1

a001:410:0:1::1/64
time.
time.
4.
Click OK.
5.
Click the Export button to view reports using the IMCs Intelligent Analysis Report Viewer and
a.
b.
c.

on the toolbar.
d.
e.

on the toolbar.
f.
g.
Adobe Acrobat (PDF)

Click Export.

The TopN Traffic Report for destination Host bar chart displays the TopN destination hosts with the
most inbound/outbound traffic in a certain period of time in a selected VPN traffic analysis task.
Click a bar for a destination host in the chart to view the traffic analysis report of the destination
host.
distribution of inbound/outbound traffic of TopN destination hosts for all VPNs in the selected
traffic analysis task for the selected time range. Each slice of the pie chart serves as a link for
navigating to traffic reports for the selected host.
Figure 208 Destination Report: TopN Traffic Report for Destination Host In/Out

The TopN Traffic List for Destination Host In/Out provides you with a list of the TopN destination
hosts measured by volume of inbound/outbound traffic observed on all VPNs in the selected VPN
traffic analysis task for the selected time range. This list includes the host IP address, total volume
of traffic generated by the associated destination host, and the percentage of all observed traffic
generated by the destination host. The IP address serves as a link for navigating to reports for the
selected destination host. The host query icon
next to the Destination IP address serves as a
link for initiating a host query as well as a link for navigating to the results of the host query.
Figure 209 Destination Report: TopN Traffic List for Destination Host In/Out
306 VPN monitoring

To view this report for a VPN traffic analysis task, click the slice of the pie chart on the TopN Traffic
The Traffic Trend Report for Destination Host line chart provides you with the average rate of traffic
for the selected destination host. By default, the Traffic Trend Report for Destination Host chart
displays statistics for the previous hour.
of the chart.
chart.
Traffic details
The Traffic Details for a destination host table provides you with two lists. The TopN Source Hosts
of traffic sent and received between this destination host and the sources, and the percentage of
all traffic observed for this destination host and the source hosts.
Session reports
outbound reports. Both reports include a TopN Traffic Report for Session Host pie chart. The pie
chart displays the distribution of the traffic that generated by the TopN session hosts for all VPNs
in the selected traffic analysis task. Both reports also include a TopN Traffic List for Session Host,
which provides you with a list of the TopN session hosts measured by volume of traffic observed
on all VPNs in the selected VPN traffic analysis task. The pie chart contains a link for navigating
to traffic reports for the selected session. The list also contains a link for navigating to reports for
the selected session host. The host query icon
next to the Source Host and Destination Host IP
address fields serves as a link for initiating a host query and the results of the host query. As with
all of the report types for a VPN task, NTA also provides you with a query option for filtering
To view the reports for a VPN traffic analysis task, click the Session tab to view traffic reports for
the selected VPN traffic analysis task.
Query sessions
icon
2.
in the query
3.

Source HostIn the Source Host field, enter the IP address or address range.
10.153.89.10

10.153.89.0/255.255.255.0

10.153.89.0/24

a001:410:0:1::1

a001:410:0:1::1/64
308 VPN monitoring
time.
time.
4.
Click OK.
5.
a.
b.
c.

on the toolbar.
d.
e.

on the toolbar.
f.
g.
Adobe Acrobat (PDF)

Click Export.

The TopN Traffic Report for Session Host In/Out pie chart displays the distribution of inbound
and outbound traffic for TopN source and destination session pairs for all VPNs in the selected
for the select source and destination session pair.
Figure 212 Session Report: TopN Traffic Report by Session Host In

The TopN Traffic List for Session Host In/Out provides you with a list of the TopN session source
and destination pairs measured by volume of inbound/outbound traffic observed on all VPNs in
the selected VPN traffic analysis task for the selected time range. This list includes the source and
destination host IP addresses, total volume of traffic generated by the source and destination session
pair, and the percentage of all observed traffic generated between the source and destination
session pair. The icon
in the Details field serves as a link for viewing reports for the selected
session or source/destination pair. The host query icon

next to the Source Host and Destination
Host IP address fields serves as a link for initiating a host query as well as a link for navigating to
the results of the host query.
Figure 213 Session Report: TopN Traffic Report for Session Host In/Out

Details icon
The Session Host Traffic Trend Report line chart provides you with the average rate of traffic for
the source and destination host pair. By default, the Session Host Traffic Trend Report chart displays
310
of the chart.
chart.
VPN monitoring

Details icon
311
10 Inter-business monitoring
This chapter provides an overview of inter-business traffic analysis, explains how to manage
inter-business traffic analysis tasks, and describes how to navigate different types of inter-business
Inter-business traffic analysis overview

Inter-business traffic analysis tasks allow you to combine host and application information and
assign it a business service name. NTA parses network flow records based on the combination of
hosts and applications that you create, and provides traffic statistics for those hosts and applications.
Because inter-business analyses are based on hosts and applications and are not tied to an interface,
a device, or probe network flow data sources, inter-business reports provide visibility for all areas
of the network that generate network flow records.
In general, traffic reports include the rate of traffic for all hosts and applications in all tasks, and
for the hosts and applications in a specific task. They include per-second traffic for each configured
inter-business analysis task, the average rate for a single business and for inter-business traffic,
and inter-business reports that operators have saved to the Interest list under the Interest tab. The
reports provide both summarized information for tasks as well as detailed information about specific
applications configured for a traffic analysis task.
Inter-business traffic analysis reporting overview

Click Inter-Business Traffic Analysis Task on the left navigation tree to view the summary report for
all inter-business traffic analysis tasks.
To view the inter-business traffic analysis report for a single task, move your mouse pointer to the
shortcut menu icon
to the right of Inter-Business Traffic Analysis Task. The Inter-Business Traffic
Analysis Task shortcut menu appears to display all inter-business traffic analysis tasks created in
NTA. Click the name link for a task to view the inter-business traffic analysis report of the task.
Each inter-business traffic analysis report contains three granular reports, including Single Business,
Inter-Business, and Interest. Click the Expand icon
next to a task on the Inter-Business Traffic
Analysis Task shortcut menu to display the three granular reports for the inter-business traffic analysis
task. Click the name link for a granular report to view the granular report.
The summary inter-business traffic analysis report includes the following contents:
312
Average Rate (Last 1 Hour)This bar graph provides average-rate-per-second reporting for
all inter-business tasks. Each bar in the graph is a link for navigating to more granular reporting
for the selected task:
Single BusinessThese reports provide a bar graph depicting the TopN average rate
per second generated by the hosts and applications you have configured as a single
business application or service for the selected task. Click the contents of this graph to
navigate to detailed information about the selected application. The Traffic Details section
lists traffic volume and rate statistics for both inbound and outbound traffic.
Inter-BusinessThese reports provide a bar graph showing the average traffic rate for
the hosts and applications in a business service, as well as other business traffic. The
Traffic Details section lists traffic flux and rate statistics for all business-to-business traffic.
InterestThese are the reports saved by operators to the Interest list.
Summary List (Last 1 Hour)This list provides the per-second traffic rate by inter-business traffic
analysis task. This list provides navigation to more granular host reporting for the selected
task.
Inter-business monitoring
Inter-business traffic analysis configuration issues

There are several things to consider when you create an inter-business task, including the following
issues.
Inter-Business tasks rely on the configuration of both hosts and applications. If you add hosts
without adding applications, no data will be attributed to the task.
You must determine the locations on your network where you plan to capture host and
application data. You must enable network flow data for the devices and their interfaces for
those locations. You must then add these devices and probes to NTA using the Device
Management and Probe Management features. NTA will then summarize host and application
data for all devices and probes on which it observes inter-business traffic.
When you add applications to a task, NTA provides a list of all known applications. It is
generated from the list of predefined applications in NTA, or applications that you have added
using the Application Management feature. If the applications you want to add are not listed,
it is probably because the application has not been added to NTA. For more information on
adding applications to NTA, see Managing applications.
Managing inter-business traffic analysis tasks

NTA processes, analyzes, and reports on network flow data through tasks created by administrators.
Until a task is created, NTA will not analyze the data that devices forward to it or that it is configured
to receive. This section explains how to add, modify, and remove inter-business traffic analysis
tasks in NTA.

1.
2.

In the Settings area of the Traffic Analysis and Audit page, click the Traffic Analysis Task
Management link.
Management page.
Traffic analysis task list contents
3.
Task NameThis field contains the name of the task. The contents of this field link to the
Traffic Analysis Task Details page for the associated task.
Task DescriptionThis field contains the description for the associated task.
Task TypeThis field identifies the task type interface, VLAN, probe, application, host,
Baseline AnalysisThis field appears when the Baseline Analysis feature is enabled in
NTA parameters. The Baseline Analysis feature provides an additional layer of analysis
to NTA reports by including baseline trend data when data has been collected for a
minimum of one week.
ModifyThis field contains a link to the
DeleteThis field contains an icon
Modify page for the associated task.
upper-left corner of the Traffic Analysis Task List.
NOTE: You can sort the Traffic Analysis Task List by the Name, Task Description, Task Type and
313
Viewing details for a traffic analysis task

1.
2.

Click the Traffic Analysis Task Management link in the Settings area of the Traffic Analysis
and Audit page.
page.
3.
Click the contents in the Task Name field of the Traffic Analysis Task List whose Task Type is
Inter-Business.
NTA displays details for the traffic analysis task.
4.
Traffic Analysis Task Details page
Task NameThis field contains the name of the task.
Task DescriptionThis field contains the description of the associated task.
Task DescriptionThis field contains the server name or IP address of the NTA server.
Task TypeThis field identifies the task type--interface, VLAN, probe, application, host, VPN,
or inter-business.
ReaderThis field identifies the operator groups in IMC that have been granted access to
view the reports generated by this traffic analysis task.
Baseline AnalysisThis field indicates whether the Baseline Analysis feature is enabled for
the task. If this field is not displayed, this feature is disabled in the NTA parameters. For more
information on configuration options for NTA parameters, including the Baseline Analysis
feature, see Configuring NTA traffic analysis parameters.
Business Info.This list identifies the inter-business host and application groups that have been
configured for the traffic analysis task.
Adding an inter-business traffic analysis task

1.
2.

and Audit page.
page.
3.
Click Add.
4.
5.
To add an inter-business traffic analysis task, click the option button next to Inter-Business on
the Select Task Type page.
Click Next.
6.

descriptive and useful names to a task that help you to navigate quickly and easily to reports.
7.
314
8.
Select the NTA, NetStream, NetFlow, or sFlow collection server from the Server list.
Unless configured otherwise by the administrator, the NTA server name is the IP address of
9.
To select the operator groups that will have access to the analysis and reports provided by
this traffic analysis task, click the Select button to the right of the Reader field.
a. Select the check box next to the Name of each operator group for which you want to
grant access. To select all operator groups, select the check box in the upper left corner
of the column label field for all boxes.
The operator groups are displayed in the Reader field.
You can configure a traffic analysis task to include traffic from one or more business
services. A business service consists of a combination of one or more host IP addresses
and applications, which are optional.
10. To add a business service, click the Add button at the top of the Business Info. list.
The
a.
b.
c.
Add Business page is displayed.

Enter a unique name for the business service in the Business Name field.
Enter a brief description for the business service in the Business Description field.
To enable threshold alarm for the reports generated by this task, select Enable from the
Threshold Alarm list. To disable threshold alarm, select Disable.
If you select Enable, the threshold alarm configuration parameters are displayed under
this list.
d.
Set the threshold alarm configuration parameters:

TriggerThis field indicates under what conditions the threshold is triggered. This condition
In ThresholdThis field indicates the threshold value or volume of inbound traffic that
must be exceeded before NTA generates an alarm.
Out ThresholdThis field indicates the threshold value or volume of outbound traffic that
must be Major.
be sent again. Options are None, Last 30 minutes, Last 1 hour, and Last 2 hours. The
default setting is Last 30 minutes.
If the Threshold Alarm list is not displayed, the Threshold Alarm feature has been disabled
on the NTA server. For more information on configuration options for the NTA server,
including the Threshold Alarm feature, see Configuring NTA traffic analysis parameters.
In a traffic analysis task, you add a combination of hosts and applications that define a
business service. For each business service you create, you specify whether or not you
want NTA to include or exclude traffic from the hosts and applications.
e.
To include traffic from the hosts and applications you specify as a business service, select
Include from the IP Stat. Direction list. To exclude traffic from the hosts and applications
you specify as a business service, select Exclude.
315
f.
You can add one or more IP hosts or IP address ranges to a traffic analysis task. However,
you must have at least one host defined, and no more than 10 host entries defined for
each task. You can add multiple businesses in a traffic analysis task.
You can configure a traffic analysis task to include traffic for one or more hosts defined
by IP address. Alternatively, you can enter a range of IP addresses to be included in the
analysis, or you can enter a combination of IP host addresses and IP address ranges.
However, no two addresses or address ranges entered in the Host IP field can overlap.
g.
Add IP address entries in the Host IP field.

To enter the IP address for a single host, use dotted decimal notation.
10.153.89.10

10.153.89.0/255.255.255.0

10.153.89.0/24

a001:410:0:1::1
a001:410:0:1::1/64
h.
Click the Add button to the right of the Host IP field.

The addresses and masks you entered are added to the Host IP List field below the Host
IP field.
11. To add applications to the task, click the Add button to the right of the Application List field.
the dialog box.
To select applications to add to the task, you must first query the Application List:
a. Enter one or more of the following search criteria in the Query Applications section of
the dialog box:
Application: Enter the partial or complete name of each application you want to search
for.
Pre-defined: To search for applications that are predefined, select Yes. To filter for
applications that are user defined, select No. To include both predefined and user-defined
applications, select Not limited.
To display the complete Application List, click Query without entering any search criteria.
b.
c.
d.

section. Select the checkboxes next to the applications you want to add to the task.
Click OK to add the applications to the traffic analysis task you want to create.
NOTE: If the application you want to add to this task does not exist in the Application List,
you can add it as a user-defined application. For more information on adding applications
to NTA, see Managing applications.
12. Click OK to create the business service.
13. To create more business services, repeat steps 1012. When you have finished adding business
services to the task, go to the next step 14.
316
14. Click OK to create the traffic analysis task.

Once you create an inter-business traffic analysis task, NTA will create an entry called
Inter-Business Traffic Analysis Task on the left navigation tree. Click the entry to view the summary
report for the inter-business traffic analysis tasks.
to the right of
Inter-Business Traffic
Analysis Task. The Inter-Business Traffic Analysis Task shortcut menu appears to display all
inter-business traffic analysis tasks created in NTA. Click the name link for a task to view the
inter-business traffic analysis report of the task.
For information about accessing and viewing inter-business traffic analysis reports, see Viewing
inter-business traffic analysis reports.
Modifying a traffic analysis task

1.
2.

and Audit page.
Management page.
3.
4.

descriptive and useful names to a task that that enables you to navigate quickly and easily to
reports.
5.
6.
Modify the description for this task in the Task Description field as needed.
Select the NTA, NetStream, NetFlow or sFlow collection server from the Server list.
Unless configured otherwise by the administrator, the NTA server name is the IP address of
7.
To add operator groups that will have access to the analysis and reports provided by this
task, click the Select button to the right of the Reader field.
a. Select the check box next to the Name of each operator group for which you want to
grant access. To select all operator groups, select the check box in the upper-left corner
of the column label field for all boxes.
b. Click OK to accept the operator group selection.
The operator groups are displayed in the Reader field.
c.
d.
e.
To revoke operator group access to the results of this task, select operator groups in the
Reader field.
Click Delete.
Click OK to confirm deletion of the selected operator groups from the task.
The Reader list is updated to reflect the changes.
You can configure a task to include traffic from one or more business services. A business
service consists of a combination of one or more host IP addresses and applications,
which are optional.
317
8.
To modify an existing business service, click the Modify icon

the Business Info. list.
for the business service in
The Modify Business page is displayed.

a. Enter a brief description for the business service in the Business Description field.
b. To enable threshold alarm for the reports generated by this task, select Enable. To disable
threshold alarm, select Disable.
If you select Enable, the threshold alarm configuration parameters are displayed.
c.
Set the threshold alarm configuration parameters:

DirectionThis field indicates the direction you want to apply to the threshold: In, Out,
or In/Out.
TriggerThis field indicates under what conditions the threshold is triggered. This condition
In ThresholdThis field indicates the threshold value or volume of inbound traffic that
Out ThresholdThis field indicates the threshold value or volume of outbound traffic that
must be Major.
be sent again. Options are None, Last 30 minutes, Last 1 hour, and Last 2 hours. The
default setting is Last 30 minutes.
If the Threshold Alarm list is not displayed, the threshold alarm feature has been disabled
on the NTA server. For more information on configuration options for the NTA server,
including the threshold alarm feature, see Configuring NTA traffic analysis parameters.
In a traffic analysis task, you add a combination of hosts and applications that define a
business service. For each business service you create, you specify whether or not you
want NTA to include or exclude traffic from the hosts and applications.
9.
To include traffic from the hosts and applications you specify in a business service, select
Include from the IP Stat. Direction list. To exclude traffic from the hosts and applications, select
Exclude.
You can add one or more IP hosts or IP address ranges to a traffic analysis task. However,
you must have at least one host defined, and no more than 10 host entries defined for each
task. You can add multiple businesses in a traffic analysis task.
You can configure a traffic analysis task to include traffic for one or more hosts defined by IP
address. Alternatively, you can enter a range of IP addresses to be included in the analysis,
or you can enter a combination of IP host addresses and IP address ranges. However, no two
addresses or address ranges entered in the Host IP field can overlap.
10. Add IP address entries in the Host IP field. To enter the IP address for a single host, use dotted
decimal notation.
10.153.89.10

10.153.89.0/255.255.255.0

10.153.89.0/24

318
a001:410:0:1::1
a001:410:0:1::1/64
11. Click the Add button to the right of the Host IP field.
The addresses and masks you entered are added to the Host IP List field below the Host IP
field.
12. To add applications to the task, click the Add button next to the Application List field.
The Query Applications dialog box is displayed, and an empty Application List is displayed
To select applications to add to the task, you must first query the Application List:
a. Enter one or more of the following search criteria in the Query Applications section of
the dialog box:
ApplicationEnter the partial or complete name of each application you want to search
for.
Pre-definedTo search for applications that are predefined, select Yes. To filter for
applications that are user defined, select No. To include both predefined and user-defined
applications, select Not limited.
To display the complete Application List, click Query without entering any search criteria.
b.

section.
c.
d.
Select the check boxes to the left of the applications you want to add to the task.
Click OK to add the applications to the task you want to create.
The applications are displayed in the Application List.
NOTE: If the application you want to add to this task does not exist in the Application
List, you can add it as a user-defined application. For more information on adding
e.
Click OK to create the business service.
13. To add more business services, repeat steps 10-12.

14. To remove business services from the Business Info. list, click the Delete icon
business services.
for those
The Business Info. list is updated to reflect the deletions.

15. When you have finished adding services to or removing services from the Business Info. list,
go to steps 17.
16. Click OK to accept your modifications to the inter-business traffic analysis task.
Deleting a traffic analysis task

1.
2.
and Audit page.
Management page.
3.
319
4.
Click OK to confirm the deletion of the task.

The Traffic Analysis Task List is updated to reflect the deletion.
Viewing inter-business traffic analysis reports

An inter-business traffic analysis task combines host and application information into a business
service. NTA parses network flow records based on the combination of hosts and applications you
specify. NTA provides several levels of reporting for all inter-business tasks. There are summarized
reports for all tasks, granular reports for an individual task, and more granular reports for the host
and application groups within an inter-business task. All reports can be accessed by clicking the
highest level entry of the left navigation tree under the Traffic Analysis and Auditsection. To view
summarized reporting for all inter-business tasks, click the
entry of the left navigation tree.
Inter-Business Traffic Analysis Task
NTA groups individual tasks by type. All inter-business tasks can be found on the Inter-Business
Traffic Analysis Task menu.
To view the Inter-Business Traffic Analysis Task shortcut menu, move your mouse pointer to the
shortcut menu icon
to the right of
Inter-Business Traffic Analysis Task. The shortcut menu
displays all inter-business traffic analysis tasks created in NTA. Click the name link for a task to
view the inter-business traffic analysis report of the task.
This section explores the reporting options available for inter-business traffic analysis tasks and
includes a review of process for navigating to inter-business traffic analysis tasks, a review of the
summary reports available for inter-business tasks, and a review of the reports and features available
for an individual inter-business traffic analysis task.
Navigating to the inter-business traffic analysis reports

1.
2.
To view summary reporting for all inter-business traffic analysis tasks, click the
Inter-Business
Traffic entry under the Traffic Analysis and Audit section of the left navigation tree.
3.
to
the right of
Inter-Business Traffic Analysis Task. The Inter-Business Traffic Analysis Task
shortcut menu appears to display all inter-business traffic analysis tasks created in NTA. Click
the name link for a task to view the inter-business traffic analysis report of the task.
Summary reports for all inter-business traffic analysis tasks

Summary reports provide the highest level of reporting for all tasks of the same type. You access
the reports by clicking the
Inter-Business Traffic entry of the left navigation tree under the Traffic
Analysis and Audit section. The reports provide navigation aids to the reports for a specific task.
This section describes the summary reports and their features.

This bar graph summarizes traffic rates for all host and application groups in every inter-business
traffic analysis task, grouped by inter-business traffic analysis task.
To access this graph, click the
Inter-Business Traffic entry of the left navigation tree.
The bars in the graph are links to the reports for the selected task.

The Summary List provides traffic statistics summarized by inter-business task.
Summary List contents
Task NameThis field contains the name of the inter-business traffic analysis task. Click the
contents of this field to navigate to reports for the associated task.
Total RateThis field provides the total rate of traffic observed for all applications configured
for the associated inter-business task for the last hour.
In RateThis metric provides the rate traffic for all inbound traffic for the host and application
groups configured for the associated task for the last hour.
Out RateThis metric provides the rate traffic for all outbound traffic for the host and application
groups configured for the associated task for the last hour.
The Add button located at the top of the Summary List provides you with a shortcut to the Add
Inter-Business Traffic Analysis Task page. For more information on adding inter-business traffic
analysis tasks, see Adding an inter-business traffic analysis task.
1.
2.
Granular reports for an inter-business traffic analysis task

In addition to summary reporting for all tasks, NTA provides a suite of reports that provide different
perspectives for host and application data in inter-business traffic analysis tasks. Reports for
inter-business tasks are organized into three reporting groups: Single Business, Inter-Business, and
Interest.
Single Business reports provide overall traffic statistics and summary statistics for all host and
application groups in the selected task for the specified time range.
Inter-Business reports provide traffic statistics for host and application groups within the task
and for applications or hosts outside the task.
Interest reports are reports that operators have added to the Interest list.
In addition, these reports provide navigation aids to more granular reports for the individual task.
Single Business reports

Single Business reports for an inter-business traffic analysis task include the TopN Avg. Rate bar
chart, which provides average-per-second inbound and outbound traffic rates for all hosts and
applications in the selected task for the specified time range. Single Business reports also include
the Traffic Details list, which provides a summary of the total traffic volume and the rate (in seconds)
for inbound and outbound traffic for all host and application groups in the selected task. As with
all report types, NTA provides a query option for filtering reports based on the criteria you define.
To view the reports for an inter-business traffic analysis task, click the Single Business tab to view
traffic reports for the selected inter-business traffic analysis task.
Viewing inter-business traffic analysis reports
321
Query traffic
NTA enables you to change the filter criteria for traffic reports. You can refine the data presented
in inter-business reports using the Query Traffic option. Using this feature, you can change the
default settings for the business name as well as the time range for the graphs and tables to
1. In the query criteria area in the upper right corner of the single business report, click the query
criteria icon
2.
in
the query criteria area to set the time range for the traffic report.
To customize the time range for the single business report, select Custom from the list that
appears in the query criteria area, or click the Advanced icon
end time.
b.
Click OK.
TopN avg. rate

The TopN Avg. Rate stacked bar chart provides average per second inbound and outbound traffic
rate summarized by all host and application groups in the selected traffic analysis task. The bars
in the graph serve as a link for navigating to more granular reports for the selected single business.
Figure 217 Single Business Report: TopN Avg. Rate Report
By default, the TopN Avg. Rate stacked bar chart displays statistics for the previous hour.
of the chart.
chart.
Traffic details
The Traffic Details list provides you with a summary of traffic statistics for all host and application
groups in the task based on the report time range. This list includes total volume of inbound and
outbound traffic and traffic rate in seconds for both inbound and outbound traffic for the selected
time range. The business name serves as a link for navigating to reports for a single host and
application group.
Figure 218 Single Business Report: Traffic Details List
The Traffic Trend chart provides you with the average rate of traffic for the single business in the
associated task. This chart also provides average, minimum average, maximum average, and total
traffic volume statistics in a tabular format for a single business in the associated task. By default,
the Traffic Trend chart displays statistics for the previous hour.
chart.
Figure 219 Single Business Report: Traffic Trend Reports
To view this report for a single business traffic in a task, click the bar in the TopN Avg. Rate chart
report for the business for which you want to view reports.
contains four lines, Max. In Peak Rate, Min. In Peak Rate, Max. Out Peak Rate, and Min. Out Peak
Rate.
Viewing inter-business traffic analysis reports 323
Figure 220 Single Business Report: Peak Rate
report for the business for which you want to view reports, and set the time range for the report to
a value longer than 6 hours.
parameters.
Flux Distribution
The In/Out Flux Distribution chart displays the distribution of inbound and outbound traffic for the
select business. This chart also provides the total volume of traffic and the percentage of all observed
traffic for the associated business.
Figure 221 Single Business Report: Flux Distribution Report
report for the business for which you want to view reports.
To add a single host and application group in a task to the Interest List, click the Add to Interest
List link for the associated business service you want to add.
Inter-Business reports
Inter-Business reports for an inter-business traffic analysis task include the TopN Avg. Rate stacked
bar chart that provides average per second inbound and outbound traffic rates between all hosts
and applications in the selected traffic analysis task for the selected time range and all other
business services. The inter-business reports also include the Traffic Details list that provides you
with a summary of total traffic volume and rate in seconds between inbound and outbound traffic
for all host and application groups in the selected task and all other business services. As with
each of the report types, NTA also provides you with a query option for filtering reports based on
criteria you define.
Click the Inter-Business tab in the inter-business traffic analysis report to view the inter-business
reports of the task.
Query traffic
NTA enables you to change the filter criteria for traffic reports. You can refine the data presented
in inter-business reports using the Query Traffic option. Using this feature, you can change the
default settings for the business name as well as the time range for the graphs and tables to
1. In the query criteria area in the upper right corner of the inter-business report, click the query
criteria icon
2.
in
To customize the time range for the inter-business report, select Custom from the list that appears
end time.
b.
Click OK.
TopN Avg. Rate

rate observed between all host and application groups configured in the selected traffic analysis
task and all other businesses. The bars in the graph serve as a link for navigating to more granular
reports for the selected task.
Figure 222 Inter-Business Report: TopN Avg. Rate Report
Traffic details
The Traffic Details list provides you with a breakdown of traffic bi-directional traffic rates between
hosts and application groups configured in the task and all other business traffic. This report includes
volume and rate statistics for bi-directional traffic for the selected time range.
Figure 223 Inter-Business Report: Traffic Details List
To add a bi-directional pair to the Interest List, click the Add to Interest List link for the associated
bi-directional pair you want to add.
The Traffic Trend chart provides you with the average rate of traffic for the inter-business in the
associated task. This chart also provides average, minimum average, maximum average, and total
traffic volume statistics in a tabular format for inter-business in the associated task. By default, the
Traffic Trend chart displays statistics for the previous hour.
chart.
To view data for a later period, click the Next button in the upper-right corner of the chart.
Figure 224 Inter-Business Report: Traffic Trend Reports
To view this report for an inter-business traffic in a task, click the bar in the TopN Avg. Rate chart
report for the inter-business for which you want to view reports.
If you have enabled the Peak Traffic Analysis feature, and you have selected a time range from
the Query Time list of the Query Traffic section that is at least 6 hours earlier than the current time,
NTA displays the Max./Min. Peak Rate chart to the right of the Traffic Trend chart.
The Traffic Trend Peak Rate line chart displays, for the selected time range, the minimum and
maximum inbound and outbound peak traffic rates for the associated task. This chart contains four
lines: Max. In Peak Rate, Min. In Peak Rate, Max. Out Peak Rate, and Min. Out Peak Rate.
Figure 225 Inter-Business Report: Peak Rate
To view this report for an inter-business traffic in a task, click the bar in the TopN Avg. Rate chart
report for the inter-business for which you want to view reports.
parameters.
Traffic Details
The Traffic Details list provides you with a breakdown of bi-directional traffic. This report includes
total volume and rate of traffic statistics for bi-directional traffic for the selected time range.
Figure 226 Inter-Business Report: Traffic Details List
To view this list for an inter-business traffic in a task, click the bar in the TopN Avg. Rate chart report
for the inter-business for which you want to view reports.
Interest reports
Interest reports for an inter-business traffic analysis task include those reports operators have chosen
to save to the Interest List because they are of interest to the operator. Interest reports display traffic
between business tasks defined in NTA and other business traffic. Reports include the TopN Avg.
Rate stacked bar chart that provides average per second inbound and outbound traffic rates for
all inter-business tasks for the selected time range. The Interest reports also include the Traffic Details
list that provides you with a summary of flux and rate statistics between business tasks and other
traffic. As with each of the report types, NTA also provides you with a query option for filtering
Click the Interest tab in the inter-business traffic analysis report to view the interest reports of the
task.
Query Traffic
NTA enables you to change the filter criteria for traffic reports. Using the Query Traffic option, you
can refine the data presented in inter-business reports. You can change the default settings for the
business name, as well as the time range for the graphs and tables, to customize the reports
displayed under the Interest tab.
1. In the query criteria area in the upper right corner of the inter-business report, click the query
criteria icon
in
2.
To customize the time range for the inter-business report, select Custom from the list that appears
end time.
b.
Click OK.
TopN Avg. Rate

rate observed between all single business and inter-business traffic and other traffic entries in the
Traffic Details list saved by operators to the Interest List. The bars in the graph serve as a link for
navigating to more granular reports.
Figure 227 Interest Report: TopN Avg. Rate Report
By default, the TopN Avg. Rate stacked bar chart displays statistics for the previous hour.
of the chart.
chart.
To view the report for an entry, click the bar in the chart for which you want to view reports.
Traffic details
The Traffic Details list provides you with a breakdown of bi-directional traffic rates for all single
business and inter-business traffic and other traffic entries in the Traffic Details report saved by an
operator to the Interest List. This report includes total volume and rate of traffic statistics for
bi-directional traffic for the selected time range.
Figure 228 Interest Report: Traffic Details List
To remove a bi-directional pair from the Traffic Details interest list, click the Delete from Interest List
link for the associated bi-directional pair you want to remove.
11 Performing traffic log audits in NTA

Traffic log auditing in NTA provides you with the ability to generate source, destination, and
session traffic reports based on NTA's data capture from the data source you select. NTA supports
traffic log auditing for one interface on a device or for the selected data sources for an existing
interface, probe, or VPN task. To use the traffic log auditing feature, devices, probes, and interface,
probe, or VPN tasks must already exist in NTA prior to the execution of a traffic log audit. This
chapter explores the process of configuring NTA to support traffic log auditing and provides
step-by-step instructions for executing a traffic log capture as well as viewing the reports generated
by them.
Configuring NTA for traffic log auditing

Traffic log auditing leverages the traffic packets captured by the interfaces of devices, VPNs, and
probes that have been added to NTA and configured in traffic analysis tasks. Therefore, performing
a traffic log audit for viewing source, destination, or session statistics requires pre-audit configuration
of NTA. This section describes the steps required to configure NTA before using the traffic log
auditing feature.
Adding data sources to NTA

Before you can use NTA's traffic log audit feature to view source, destination, and session traffic
statistics for a selected data source, you must first add the data source to NTA. Then, you must
create a traffic analysis task for the interface, probe, or VPN in order to make the interface, probe,
or VPN available as a data source for traffic log audits. The following sections provide information
on adding devices, probes, and VPNs as data sources.
Adding a device
The traffic log auditing feature enables you to use the interfaces of devices as data sources in NTA.
To use a device interface in a traffic log audit, you must first add the device to NTA. For information
on adding a device to NTA, see Device management, in particular, see Adding an NTA data
source device.
You must also configure the device to forward NetStream, NetFlow, or sFlow traffic to the NTA
server. See your vendors documentation for information on configuring a router or switch to enable
NetStream, NetFlow, or sFlow data to a collector. For more information on configuring the NTA
server as a collector, see Managing NTA servers.
After you have added a device to NTA, you select the device or probe in the NTA server
configuration.
Adding a probe
You can use the probes that have been configured in traffic analysis tasks as a data source for
traffic log auditing. A probe in NTA is a server running probe server software that converts traffic
it receives through mirroring into network flow records that NTA can process. To add a probe to
NTA, see Probe management, in particular, see Adding a probe.
You must also install the probe application program on a dedicated server and configure it to
receive traffic mirrored from the ports which you want to view statistics for.
You must configure the router or switch to mirror traffic from one or more ports to the port to which
the probe server is connected. If you are using a tap kit, you must also install the tap kit inline into
the link being monitored. See your vendors documentation for information on configuring a router
or switch to enable NetStream, NetFlow, or sFlow data to a collector, or for information on installing
tap kits. For more information on configuring the NTA server to receive network flows from a probe
server, see Managing NTA servers.
Configuring NTA for traffic log auditing
331
After you have added a probe to NTA, you select a probe in the NTA server configuration, see
Selecting the device or probe.
Adding a VPN
You can also use the VPNs that have been configured in traffic analysis tasks as a data source for
traffic log auditing. To add a VPN to NTA, you must first add the device to which the VPN belongs.
For instructions, see Device management, in particular, see Adding an NTA data source device.
You must also configure the device to forward NetStream, NetFlow, or sFlow traffic to the NTA
server. See your vendors documentation for information on configuring a router or switch to enable
NetStream, NetFlow, or sFlow data to a collector. For more information on configuring the NTA
server as a collector, see Managing NTA servers.
After you have added a device to NTA, you select the device or probe in the NTA server
configuration, see Selecting the device or probe.
Selecting the device or probe

After you have added a device that includes the interface or VPN for which you want to capture
a traffic audit log, you select the device or probe in the NTA server configuration.
2. Click the Server Management link in the Settings area of the Traffic Analysis and Audit page.
NTA displays all servers in the Server List in the main pane of the Server Management page.
3.
4.

To enable the processing of network flow data from a device in NTA, select the check box
next to the device name in the Traffic AnalysisDevice Information section.
To disable the processing of network flow data from a device in NTA, clear the check box
next to the device name.
5.
6.
To add a device that does not appear in the Device Information list, see Managing NTA
data sources, in particular, see Device management.
To enable the processing of network flow data from a probe (probe server) in NTA, select the
check box next to the probe name in the Traffic AnalysisProbe Information section.
To disable the processing of network flow data from a probe in NTA, clear the check box
next to the device name.
7.
To add a probe that does not appear on the Probe Information list, see Managing NTA data
sources, in particular, see Probe management.
NOTE: Every device and probe selected on the Server Configuration page consumes a
license. If you do not have enough licenses to add a device or probe, then you must deselect
a device or probe before adding a new one. If the device or probe you deselect is already
configured for an interface, VPN or probe traffic analysis task, you must remove it from the
task before you can select a new device or probe on the Server Configuration page. For
example, if you want to modify an interface task, see Modifying an interface traffic analysis
task.
8.
Click Deploy to accept and deploy the NTA server configuration changes.
After you have selected a device or probe in NTA, you must create a traffic analysis task if the
data source you want to use is an interface, probe, or VPN.
For information on creating an interface traffic analysis task, see Managing interface traffic
analysis Tasks, in particular, see Adding an interface traffic analysis task.
For information on creating a probe traffic analysis task, see Managing probe traffic analysis
tasks, in particular, see Adding a probe traffic analysis task.
For information on adding a VPN task to NTA, see Managing VPN traffic analysis tasks,
in particular, see Adding a VPN traffic analysis task.
Configuring the aggregation policy

NTA enables you to define the granularity that is used to process the network flow records. The
standard aggregation policy summarizes data at 5-minute intervals; the rough aggregation policy
summarizes data at 20-minute intervals.
3.
4.
5.

From the Traffic Analysis Log Aggregation Policy list, select the aggregation policy you want
to apply to all log files processed by this NTA server. Options are:
No Aggregation (Best Timeliness)This option does not aggregate data and is suitable
for environments that have high requirements on report timeliness. This aggregation mode
requires much disk space because several logs will be generated.
Aggregation (Standard)This option aggregates data at 5-minute intervals and is suitable

for environments that have an average number of logs generated. It requires less disk
space than No Aggregation mode and more disk space than Aggregation (Rough
Granularity) mode.
Aggregation (Rough Granularity)This option aggregates data at 20-minute intervals

and is suitable for environments that have a small number of logs generated. It requires
the least amount of disk space.
Click Deploy to accept and deploy the NTA server configuration changes.
Creating an interface, probe, or VPN traffic analysis task

A traffic analysis task ties network flow records to data analysis and reporting. NTA will not capture
log data for a traffic log audit if the data source has not been added to a traffic analysis task.
Administrators must create traffic analysis tasks that define which data sources configured in NTA
will become available for traffic log auditing. This section provides information on creating traffic
analysis tasks so that interfaces, probes, and VPNs are available for traffic log audits.
Adding an interface traffic analysis task

Adding an interface traffic analysis task makes the device and its interfaces available as a data
source configuration option for a traffic log audit. For more information on adding an interface
task to NTA, see Managing interface traffic analysis Tasks, in particular, see Adding an interface
Adding a probe traffic analysis task

Adding a probe traffic analysis task makes the probes available as a data source configuration
option for a traffic log audit. For more information on adding a probe task to NTA, see Managing
probe traffic analysis tasks, in particular, see Adding a probe traffic analysis task.
Configuring NTA for traffic log auditing 333
Adding a VPN traffic analysis task

Adding a VPN traffic analysis task makes the VPN(s) available as a data source configuration
option for a traffic log audit. For more information on adding a VPN task to NTA, see Managing
VPN traffic analysis tasks, in particular, see Adding a VPN traffic analysis task.
After completing these configuration steps, you can perform a traffic log audit. For information on
how to perform an audit, see Performing a traffic log audit.
Performing a traffic log audit

A traffic log audit enables you to view source, destination, and session traffic statistics for the last
hour for the selected interface, probe, or VPN. This section explains how to configure NTA to
perform a traffic log audit. The first step is to capture the NTA server flux log.
To initiate a traffic log audit:
3.
4.
Click the Capture Flux Log icon

for the NTA server for which you want to capture a flux
log.
When prompted, click OK to capture the flux log.
The results of the Capture Flux Log request are displayed at the top of the Server Management
page. Review the results to ensure that NTA is configured properly to capture the flux log. It
may take several minutes before the captured data becomes available for viewing.
5.
To configure and view the captured data, click the Traffic Log Audit link
tree under Traffic Analysis and Audit.
in the left navigation
The Audit Conditions page is displayed.

6.
To select the device interface, probe, or VPN for which you want to view statistics, click the
Select button next to the Audit Items field.
The Select Audit Item dialog box is displayed.
All devices that have been added to NTA, selected on the NTA server configuration page,
and added to traffic analysis tasks are displayed. All interface, probe, and VPN traffic analysis
tasks are also displayed.
a.
Click the Expand icon
next to a device name to view all interfaces for that device.
b.
c.
d.
Click the Expand icon next to a task group heading to view all tasks for the task type.
Select an interface on the device, or a specific interface/probe/VPN traffic analysis task.
Click OK.
If the interface, probe, or VPN for which you want to perform a traffic log audit is not displayed,
it is likely because the device or probe has not been added to NTA, selected as a data source
device for the NTA server you are using, or has not been selected as a data source for an
interface, probe, or VPN traffic analysis task. For more information on configuring NTA for a
traffic log audit, see Configuring NTA for traffic log auditing.
NTA wil auto populates the Start Time and End Time fields with the maximum time range
permitted for a traffic log audit.
7.
To change the start time range, click the calendar icon

next to the Start Time field. A
pop-up calendar is displayed. Select the start date from the calendar. Adjust the hour value
in the Start Time field.
8.
9.
To change the end time range, click the calendar icon

next to the End Time field. A
pop-up calendar is displayed. Select the end date from the calendar. Adjust the hour value
in the End Time field.
Filter the traffic log audit results based on your configuration of the filter parameters. To instruct
NTA to filter based on all of the filter conditions you define, select Meet all of the following
conditions from the Custom Query list. To instruct NTA to meet one or more of the conditions
you define, select Meet any of the following conditions from the Custom Query list.
To filter the traffic log audit results by source host, enter the IP address of the source host
in the Source Host field.
To filter the traffic log audit results by destination host, enter the IP address of the
destination host in the Destination Host field.
To filter the traffic log audit results by source port, enter the source port in the Source Port
field.
To filter the traffic log audit results by destination port, enter the destination port in the
Destination Port field.
To filter the traffic log audit results by layer 4 IP protocol, select TCP or UDP from the
Protocol list.
10. Click Audit to display the source, destination, and session reports generated by the audit.
The page displays the source, destination, and session reports generated by the audit.
Viewing traffic log audit reports

Traffic log audits generate three types of reports:
Source host reports display statistical information for all unique source host IP addresses
discovered during the log capture.
Destination host reports display statistical information for all unique destination host IP addresses
Session reports display statistical information for all unique source and destination pairs
You must initiate a flux log capture on your NTA server and submit your audit conditions
configuration before NTA will update the Audit Conditions page to display the traffic log audit
results. For more information on these steps, see Performing a traffic log audit.
Source host reports

Source host reports organize, by source host IP address, the statistical information captured during
the traffic log audit. Source host reports include a list of all source host IP addresses discovered
during the capture and detailed information for a single host.
Source Host List

The Source Host List contains a list of all unique source IP addresses identified in the flux log. The
list contains statistical information about each host, including the total volume of traffic and packets
and the percentage of traffic generated by the source host. It also contains links to more-detailed
reports for the associated host, including the Host Query page and the Source Host Details List.
To view the Source Host List, click the Source tab under the Audit Conditions section of the Traffic
Log Audit page that is generated after you have initiated a flux log capture and submitted your
audit conditions configuration. (For more information on these steps, see Performing a traffic log
audit.) NTA displays all source hosts that it has identified in the flux capture log.
Viewing traffic log audit reports 335
Source Host List contents
Query HostsThis icon is a link to the Query Hosts page that contains historical information
for the associated source host.
Source HostThis field contains the IP address of the source host. The field is a link to the
NTA Source Host Details Report page for detailed information on the associated source host.
For more information on this feature, see Source Host Details list.
TrafficThis field contains the total volume of traffic generated by the associated source host
for the traffic log audit time range.
PacketThis field contains the total number of IP packets generated by the associated source
host for the traffic log audit time range.
Packet LengthThis field contains the average length of the data package.
PercentageThis field contains the percentage of traffic generated by the associated source
host.
If the Source Host List contains enough entries, the following navigational aids are displayed:
Click
to page forward in the Source Host List.
Click
to page forward to the end of the Source Host List.
Click
to page backward in the Source Host List.
Click
to page backward to the beginning of the Source Host List.
Select 8, 15, 50, 100, or 200 from the list at the lower right of the Source Host List to configure
For lists that have more than one page, click a number on the bottom right side of the main
pane to go to that page.
To change the order of columns in this list, click the Custom button in the upper-left corner of
the Source Host List. The Column List dialog box is displayed.
To move a column up or left in the table, click the Move Up button

to the column name checked.
To move a column down or to the right in the table, click the Move Down button
the box next to the column name checked.
with the box next

with
NOTE: You can sort the Source Host List by all fields. Click the column label to sort the list by the
selected field. The column label allows you to toggle between the sort options specific to each
field.
Source Host Details list

The Source Host Details List contains a list of all unique destination IP addresses for the selected
source host captured in the flux log. The list contains statistical information about each destination
host, including the total volume of traffic and packets observed between the selected source host
and the associated destination host. It also contains the source and destination ports and links to
Query Hosts reports for the associated destination host.
To view the Source Host Details List, click the Source tab under the Audit Conditions section of the
Traffic Log Audit page that is generated after you have initiated a flux log capture and submitted
your audit conditions configuration. (For more information on these steps, see Performing a traffic
log audit.) Click the IP address in the Source Host field. NTA displays all destination hosts that it
has identified for the selected source host in the flux capture log.
Source Host Details List contents
Start TimeThis field contains the timestamp for the start of the network flow for the selected
source host and destination host.
End TimeThis field contains the timestamp for the end of the network flow for the selected
Destination HostThis field contains the IP address of the destination host. It is a link to the
Query Hosts page for historical information on the selected destination host.
ProtocolThis field identifies the layer 4 IP protocol used in the flow: TCP or UDP.
Source PortThis field identifies the layer 4 source port number for the flow. For more
information on the port, click the port number in this field.
Destination PortThis field identifies the layer 4 destination port number for the flow. For
more information on the port, click the port number in this field.
TrafficThis field contains the total volume of traffic generated by the associated source host
PacketThis field contains the total number of IP packets generated by the associated source
If the Source Host Details List contains enough entries, the following navigational aids are displayed:
Click
to page forward in the Source Host Details List.
Click
to page forward to the end of the Source Host Details List.
Click
to page backward in the Source Host Details List.
Click
to page backward to the beginning of the Source Host Details List.
Select 8, 15, 50, 100, or 200 from the list at the lower right of the Source Host Details List to
configure how many items per page you want to display
For Source Host Details List that have more than one page, click 1, 2, 3, 4, 5, 6, 7, 8, 9, 10
from the bottom right side of the main pane to jump to a particular page of the trap list.
To summarize entries in this list, from the Group list. Options are Ungroup (no grouping),
Group by Destination Host, Group by Source Port, Group by Destination Port, and Group by
Protocol.
To change the order columns in this list, click the Custom button in the upper-left corner of the
Source Host Details List. The Column List dialog box is displayed.
To move a column up or to the left in the table, select the column, and then click the Move
Up button
with the box next to the column name checked.
To move a column down or to the right in the table, select the column, and then click the
Move Down button
NOTE: You can sort the Source Host Details List by all fields. Click the column label to sort the
list by the selected field. The column label allows you to toggle between the sort options specific
to each field.
Destination host reports

Destination host reports organize, by destination host IP address, the statistical information captured
during the traffic log audit. Destination host reports include a list of all destination host IP addresses
discovered during the capture and detailed reports for a single host.
Destination Host List

The Destination Host List contains a list of all unique destination IP addresses identified in the flux
log. The list contains statistical information about each host, including the total volume of traffic
and packets and the percentage of traffic generated by the destination host. It also contains links
to more-detailed reports for the associated host, including the Query Hosts page and the Destination
Host Details List.
To view the Destination Host List, click the Destination tab under the Audit Conditions section of
the Traffic Log Audit page that is generated after you have initiated a flux log capture and submitted
your audit conditions configuration. (For more information on these steps, see Performing a traffic
log audit.) NTA displays all destination hosts that it has identified in the flux capture log.
Destination Host List contents
Query Hosts
This icon is a link to the Query Hosts page that contains historical information
for the associated destination host.
Destination HostThis field contains the IP address of the destination host. The field is a link
to the NTA Destination Host Details Report page for detailed information on the associated
destination host. For more information on this feature, see Destination Host Details list.
TrafficThis field contains the total volume of traffic generated by the associated destination
PacketThis field contains the total number of IP packets generated by the associated
destination host for the traffic log audit time range.
PercentageThis field contains the percentage of traffic generated by the associated destination
host.
If the Destination Host List contains enough entries, the following navigational aids are displayed:
Click
to page forward in the Destination Host List.
Click
to page forward to the end of the Destination Host List.
Click
to page backward in the Destination Host List.
Click
to page backward to the beginning of the Destination Host List.
Select 8, 15, 50, 100, or 200 from the list at the lower right of the Application List to configure
how many items per page you want to display
For Destination Host Lists that have more than one page, click 1, 2, 3, 4, 5, 6, 7, 8, 9, 10
from the bottom right side of the main pane to jump to a particular page of the trap list.
Destination Host List. The Column List dialog box is displayed.
Up button
Move Down button
NOTE: You can sort the Destination Host List by all fields. Click the column label to sort the list
by the selected field. The column label allows you to toggle between the sort options specific to
each field.
Destination Host Details list

The Destination Host Details List contains a list of all unique destination IP addresses for the selected
destination host captured in the flux log. The list contains statistical information about each
destination host, including the total volume of traffic and packets observed between the selected
destination host and the associated source host. It also contains the source and destination ports
and links to Query Hosts reports for the associated destination host.
To view the Destination Host Details List, click the Destination tab under the Audit Conditions section
of the Traffic Log Audit page that is generated after you have initiated a flux log capture and
submitted your audit conditions configuration. (For more information on these steps, see Performing
a traffic log audit.) Click the IP address in the Destination Host field. NTA displays all destination
hosts that it has identified for the selected destination host in the flux capture log.
Destination Host Details List contents
Source HostThis field contains the IP address of the source host. The field is a link to the
Query Hosts page for historical information on the selected destination host.
ProtocolThis field identifies the layer 4 IP protocol used in the flow: TCP or UDP.
PacketThis field contains the total number of IP packets generated by the associated
destination host for the traffic log audit time range.
If the Destination Host Details List contains enough entries, the following navigational aids are
displayed:
Click
to page forward in the Destination Host Details List.
Click
to page forward to the end of the Destination Host Details List.
Click
to page backward in the Destination Host Details List.
Click
to page backward to the beginning of the Destination Host Details List.
Select 8, 15, 50, 100, or 200 from the list at the lower right of the Destination Host Details
List to configure how many items per page you want to display
For Destination Host Details List that have more than one page, click 1, 2, 3, 4, 5, 6, 7, 8, 9,
10 from the bottom right side of the main pane to jump to a particular page of the trap list.
To summarize entries in this list, from the Group list. Options are Ungroup (no grouping),
Group by Source Host, Group by Source Port, Group by Destination Port, and Group by
Protocol.
Destination Host Details List. The Column List dialog box is displayed.
Up button
Move Down button
NOTE: You can sort the Destination Host Details List by all fields. Click the column label to sort
the list by the selected field. The column label allows you to toggle between the sort options specific
to each field.
Session reports
Session reports organize, by session source and destination IP address pairs, the statistical
information captured during the traffic log audit. Session reports include a list of all session source
and destination IP addresses discovered during the capture and historical details for both source
and destination hosts.
Session List
The Session List contains a list of all unique source and destination IP address pairs identified in
the flux log. The list contains statistical information about each pair, including the total volume of
traffic and packets, protocol used, and packet length generated by the session. It also contains
links to the Query Hosts page.
To view the Session List, click the Session tab under the Audit Conditions section of the Traffic Log
Audit page that is generated after you have initiated a flux log capture and submitted your audit
conditions configuration. (For more information on these steps, see Performing a traffic log audit.)
NTA displays all sessions that it has identified in the flux capture log.
Session List contents
source and destination host pair.
source and destination host pair.
Source Host
This field contains the IP address of the sessions source host. The field is a
link to the Query Hosts page that contains historical information for the associated source
host.
Destination Host
This field contains the IP address of the sessions destination host. The
field is a link to the Query Hosts page that contains historical information for the associated
destination host.
ProtocolThis field identifies the layer 4 protocol used in the association: TCP or UDP.
PacketThis field contains the total number of IP packets generated by the associated session
If the Session List contains enough entries, the following navigational aids are displayed:
Click
to page forward in the Session List.
Click
to page forward to the end of the Session List.
Click
to page backward in the Session List.
Click
to page backward to the beginning of the Session List.
Select 8, 15, 50, 100, or 200 from the list at the lower right of the Session List to configure
how many items per page you want to display
For Session Lists that have more than one page, click 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 from the
bottom right side of the main pane to jump to a particular page of the trap list.
Session List. The Column List dialog box is displayed.
Up button
Move Down button
NOTE: You can sort the Session List by all fields. Click the column label to sort the list by the
selected field. The column label allows you to toggle between the sort options specific to each
field.
12 NTA reports
The NTA report function is implemented through the report module of the IMC platform. All reporting
is template driven, meaning that reports are generated from system or user-defined templates. NTA
provides two templates: Device Interfaces Traffic Summary Report and Device Interfaces Application
Summary Report.
IMC offers various reporting options. From the Report tab, you can quickly and easily access NTAs
template-driven reports on the device interface traffic and device interface applications. You can
view and export realtime reports and scheduled reports. For instructions on viewing realtime reports
and scheduled reports, see IMC Base Platform Administrator Guide.
The NTA report function provides scheduled reports. You can schedule NTA reports to run daily,
weekly, monthly, quarterly, semi-annually, or annually. You can define the start dates of data
collection for scheduled reports, and the end dates and times for the corresponding scheduled
report tasks. You configure the report formats with options for Adobe Acrobat PDF, CSV, or Microsoft
XLS. You can include email recipients for all scheduled reports. A description of each report template
follows:
Device Interfaces Traffic Summary ReportProvides traffic statistics for the interfaces of the
specified device managed by NTA. The report shows the summary traffic statistics for all
interfaces of a device to which the operator has access. To view the report, set the following
parameters:
Device NameSpecifies the device for which a report will be generated. You can set
only one device.
Begin TimeSets the start time for the time range in a data collection period.
End TimeSets the end time for the time range in a data collection period.
Device Interfaces Application Summary ReportProvides application statistics for the specified
interface of devices managed by NTA. The report shows the summary application statistics
for an interface of a device to which the operator has access. To view the report, set the
following parameters:
InterfaceSets the interface for which a report will be generated. You can set only one
interface.
Begin TimeSets the start time for the time range in a data collection period.
End TimeSets the end time for the time range in a data collection period.
342 NTA reports
13 NTA widgets
NTA provides various widgets, including display tiling widgets and home page widgets.
The display tiling function of IMC displays multiple monitoring tasks simultaneously on a
high-resolution screen. To cooperate with this function, NTA provides the following display tiling
widgets:
Traffic Trend for Interface NTA Task (Last 1 Hour)
Traffic Trend for VLAN NTA Task (Last 1 Hour)
Traffic Trend for Probe NTA Task (Last 1 Hour)
Traffic Trend for Application NTA Task (Last 1 Hour)
Traffic Trend for Host NTA Task (Last 1 Hour)
Traffic Trend for VPN NTA Task (Last 1 Hour)
The home page customization function of IMC allows an operator to customize a home page. The
operator can customize different home page widgets after logging in to the IMC home page. This
function facilitates viewing various monitoring information. To cooperate with this function, NTA
provides the following home page widgets:
TopN Application for Interface NTA Task (Last 1 Hour)
TopN Application for VLAN NTA Task (Last 1 Hour)
TopN Application for Probe NTA Task (Last 1 Hour)
TopN Application for Host NTA Task (Last 1 Hour)
TopN Application for VPN NTA Task (Last 1 Hour)
Traffic Trend for Application NTA Task(Last 1 Hour)
Traffic Trend for Host NTA Task(Last 1 Hour)
Traffic Trend for Interface NTA Task(Last 1 Hour)
Traffic Trend for Probe NTA Task(Last 1 Hour)
Traffic Trend for VLAN NTA Task(Last 1 Hour)
Traffic Trend for VPN NTA Task(Last 1 Hour)
Application Traffic for Host NTA Task(Last 1 Hour)
TopN Session List(Last 1 Hour)
Display tiling widgets

Display tiling widgets provided by NTA include:
Traffic Trend for Interface NTA Task (Last 1 Hour)
Traffic Trend for VLAN NTA Task (Last 1 Hour)
Traffic Trend for Probe NTA Task (Last 1 Hour)
Traffic Trend for Application NTA Task (Last 1 Hour)
Traffic Trend for Host NTA Task (Last 1 Hour)
Traffic Trend for VPN NTA Task (Last 1 Hour)
To view widgets by using the display tiling function, the administrator should configure the display
content and layout of the display tiling first.
Display tiling widgets 343
Configuring the display tiling display

1.
2.
Click
on the top navigation bar.
Select Display Tiling > Configuration from the menu to open the display tiling configuration
page, as shown in
Figure 229 Display tiling configuration page
3.
4.
5.
Select a display tiling widget provided by NTA on the widget bar menu at the top of the page,
and drag it to the configuration area.
Drag the display boxes of the widget to configure the layout of the page.
Right click the widget in the configuration area. Click Parameter Configuration in the shortcut
menu.
The Parameter Configuration window appears.
6.
After the parameters are configured, click OK.

Different widgets have different parameters. The following section provides more details about
the parameters.
Configuring display tiling widget parameters

The parameters for different NTA display tiling widgets are not the same. The Traffic Trend for
Interface NTA Task (Last 1 Hour), Traffic Trend for Host NTA Task (Last 1 Hour), and Traffic Trend
for VPN NTA Task (Last 1 Hour) widgets have the same parameters. The Traffic Trend for VLAN
NTA Task (Last 1 Hour), Traffic Trend for Probe NTA Task (Last 1 Hour), and Traffic Trend for
Application NTA Task (Last 1 Hour) widgets have the same parameters.
Parameters for the Traffic Trend for Interface/Host/VPN NTA Task (Last 1 Hour) widget include:
DirectionSpecifies the direction of the traffic. Only statistics of the specified direction are
displayed. The options are In, Out, and Not Limited.
TaskSpecifies the selected tasks. Only statistics about the selected tasks are displayed. Select
the boxes on the task list to select one or more tasks.
344 NTA widgets
For the Traffic Trend for VLAN/Probe/Application NTA Task (Last 1 Hour) widget, you just need to
select tasks and do not need to specify a direction.
For the Traffic Trend for Probe NTA Task (Last 1 Hour) and Traffic Trend for Application NTA Task
(Last 1 Hour) widgets, the direction is ignored in the collection of statistics.
For the Traffic Trend for VLAN NTA Task (Last 1 Hour) widget, the direction is specified when the
VLAN traffic analysis task is created.
TIP: For NTA widgets for which the direction needs to be specified, if you select Not Limited,
the widget needs two curves to display information. Increase the height of the display area on the
screen so you can see the curves clearly.
Viewing the display effect

After the configuration is completed, you can view the configuration effect by using the display
tiling function. Figure 230 shows the display effect of the Traffic Trend for Interface NTA Task (Last
1 Hour) and Traffic Trend for VLAN NTA Task (Last 1 Hour) widgets.
Figure 230 Display tiling
Move the mouse pointer to the curves to see the specific values.
Home page widgets

The home page widgets that NTA provide include:
TopN Application for Interface NTA Task (Last 1 Hour)
TopN Application for VLAN NTA Task (Last 1 Hour)
TopN Application for Probe NTA Task (Last 1 Hour)
TopN Application for Host NTA Task (Last 1 Hour)
TopN Application for VPN NTA Task (Last 1 Hour)
Traffic Trend for Interface NTA Task(Last 1 Hour)
Traffic Trend for Probe NTA Task(Last 1 Hour)
Traffic Trend for VLAN NTA Task(Last 1 Hour)
Traffic Trend for Application NTA Task(Last 1 Hour)

Home page widgets 345
Traffic Trend for Host NTA Task(Last 1 Hour)
Traffic Trend for VPN NTA Task(Last 1 Hour)
When using home page widgets, after choosing the layout scheme on the home page, the
administrator can just add and configure NTA home page widgets without too many layout
operations. For more information about customizing home page widgets, see HP IMC Base Platform
Configuring home page widget parameters

The parameters for different NTA home page widgets are not the same.
TopN Application for Interface/VLAN/Probe/Host/VPN NTA Task (Last 1 Hour)

Move the mouse pointer to the title bar at the upper right of each widget. Click the setting icon
in the popup menu. Click Parameter Settings in the pull-down menu to open the parameter
configuration window.
For the TopN Application for Interface/VLAN/Probe/Host/VPN NTA Task (Last 1 Hour) widgets,
the home page widget parameters that can be configured include:
the boxes next to the task names on the task list to select one or more tasks.
For the TopN Application for VLAN/Probe NTA Task (Last 1 Hour) widget, the direction does not
need to be specified. After the configuration is completed, the IMC home page displays the content
that needs to be monitored in a pie chart.
Traffic Trend for Interface/VLAN/Application/Probe/Host/VPN NTA Task(Last 1 Hour)

Move the mouse pointer to the title bar at the upper right of each widget. Click the setting icon
in the popup menu. Click Parameter Settings in the menu to open the parameter configuration
window.
For the Traffic Trend for Interface/VLAN/Application/Probe/Host/VPN NTA Task(Last 1
Hour)widgets, the home page widget parameters that can be configured include:
the boxes next to the task names on the task list to select one or more tasks.
For the TopN Application for VLAN/Probe/Application NTA Task (Last 1 Hour) widget, the direction
does not need to be specified. After the configuration is completed, the IMC home page displays
the content that needs to be monitored in a line chart.

Move the mouse pointer to the title bar at the upper right of the Application Traffic for Host NTA
Task(Last 1 Hour) widget. Click the setting icon
in the popup menu. Click Parameter Settings
in the menu to open the parameter configuration window.
346 NTA widgets
Parameters that need to be configured include:
DirectionSpecifies the traffic direction in the host traffic analysis task. Only statistics of the
specified direction are displayed. The options are In, Out, and Not Limited.
TaskSpecifies the applications in the host traffic analysis task. Only statistics of the specified
applications are displayed. Click the plus sign (+) to the right of the application textbox. Then
the Query Applications dialog box pops up. Follow these steps to select applications:
1. Enter the complete or part of the application name in the Application text box.
2. Click the Search button to search for the application.
3. Select the boxes on the application list to select applications.
4. Click OK.
To remove a selected application, highlight the application name and click the minus sign (-).
TaskSpecifies the selected host traffic analysis tasks. Only statistics about the selected tasks
are displayed. Select the boxes on the task list to select one or more.
After the configuration is completed, the IMC home page displays the content that needs to be
monitored in a list.

Move the mouse pointer to the title bar at the upper right of home page widgets of the TopN Session
List(Last 1 Hour) widget. Click the setting icon
in the popup menu. Click Parameter Settings
in the menu to open the parameter configuration window.
Query TimeSpecifies the time range of the data that the widget displays.
ServerSpecifies a NTA server to count the number of host sessions.
DirectionSpecifies the direction in which the host sessions are counted. The options are In,
Out, and Not Limited.
Top NShows information about the TopN hosts by the number of sessions.
Viewing the display effect

After the configuration is completed, the administrator can view the configuration effect on the
customized home page. Figure 231 shows the display effect of the TopN Application for Interface
NTA Task (Last 1 Hour) and Traffic Trend for Interface NTA Task(Last 1 Hour) widgets.
Home page widgets 347
Figure 231 Customized Home Page
348 NTA widgets
14 Analyzing traffic between virtual machines

Virtual machines running on the same physical server can provide different types of services to
network users concurrently. Each virtual machine has a unique IP/MAC address, so all traffic
passing through the devices can be captured by the device supporting NetStream v5/v9, NetFlow
v5/v9, or sFlow v5, and sent to NTA for processing and analysis. However, because traffic between
virtual machines is forwarded internally by the vSwitches of the physical server without passing
through the devices, traffic cannot be captured and forwarded to NTA for processing and analysis.
To collect and analyze traffic between virtual machines, you create a virtual machine on the physical
server and deploy a probe server on the virtual machine. This chapter describes how to deploy
the probe server on a VMware virtual machine to collect and analyze traffic between virtual
machines. By default, the probe server deployed on a VMware virtual machine does not receive
traffic between virtual machines. To enable the probe server to capture traffic between virtual
machines, you must modify the settings of the virtual machines network adapter.
To use NTA to analyze traffic between VMware virtual machines:
1. Deploy a probe on the virtual machines.
In NTA, a probe is a probe server, which is an application that runs on a dedicated server.
A probe server acts as a network flow generator that transmits network flow data to the NTA
server that acts as a flow collector. probe servers receive information forwarded to it from
network devices. NTA retrieves data from probe servers when the probe server is added to
the NTA server as a probe. Operators use probe servers when the devices in their network
cannot generate NetStream, NetFlow, or sFlow data. For instructions on deploying a probe
on virtual machines, see Deploying a probe on a virtual machine.
2.
Configure the virtual machines network adapters.

A virtual machine with a probe deployed needs two network adapters, one for collecting data
and the other for sending data to the NTA server. The two network adapters are added to
different port groups. To enable the probe to collect and analyze traffic between virtual
machines, you must add the network adapters to the correct port groups. By default, the probe
deployed on a virtual machine cannot receive packets transmitted between virtual machines.
You must configure the port group on which the network adapter for collecting traffic resides
in order to operate in promiscuous mode; then, all virtual machine network adapters in the
port group operate in promiscuous mode. A probe can capture data packets between virtual
machines only when the network adapters operate in promiscuous mode. For instructions on
how to modify the network configuration of a port group, see Setting the network configuration
for a virtual machine network adapter.
In promiscuous mode, a virtual machine network adapter listens to all packets. In
non-promiscuous mode, it can listen only to traffic on its own MAC address. By default, virtual
machine network adapters are in non-promiscuous mode.
3.
Add the probe to NTA.

After you deploy a probe and modify port group configurations, you must configure the NTA
server to receive and process the network flow records from the probe. Use the Probe
Management feature in the Settings section to add probes to NTA. For more information on
using Probe Management to configure NTA to receive network flow data records from probe
servers, see Probe management.
After a probe server has been added to an NTA server as a probe, and the probe has been
selected on the Server Management page, the NTA server is ready to begin processing data
from the probe server/probe. Probe traffic analysis tasks instruct NTA to begin processing
probe server data based on the task configuration. For more information on selecting a probe
in the NTA server configuration, see Managing NTA servers, in particular, see Modifying
an NTA server configuration.
349
4.
Configure probe traffic analysis tasks.

Probe traffic analysis tasks analyze network flow data for the probes you specify. NTA parses
all network flow data and provides statistical views of traffic received by the probes configured
in a probe traffic analysis task. For example, NTA provides source and destination host
information reporting by probe, displaying traffic for source or destination hosts that sent or
received traffic from the locations where the probes were deployed. For instructions on how
to configure probe traffic analysis tasks, see Probe monitoring.
Deploying a probe on a virtual machine

The network shown in Figure 232 provides four virtual machines: WWW, BBS, Database, and
Probe. WWW and BBS are web servers, Database is a database server, and Probe is a probe
server. Network adapter eth0 for virtual machines WWW, BBS, and Database provides external
services and is added to port group 1. Network adapter eth1 is used for network management
and is added to port group 2. Probe adds network adapter eth0 to port group 1 and network
adapter eth1 to port group 2.
After you configure port group 1 to operate in promiscuous mode, network adapter eth0 for Probe
can capture the network traffic transmitted between users and the WWW/BBS server, and can
capture the network traffic transmitted between the WWW or BBS server and the database server.
Probe can use network adapter eth1 to send the collected traffic to the NTA server.
Figure 232 Deploying a probe on a virtual machine
To deploy a probe on a virtual machine:
1.
On a physical server, use the New Virtual Machine wizard to create virtual machines.
The virtual machines must meet the hardware requirements in Table 1 and the software
requirements in Table 2.
Table 1 Server hardware requirements
Item
Requirements
CPU
Type: Intel x86

Frequency: 3.0 GHz
Number of processors: 1 or 2
NOTE: To process traffic lower than 300 Mb/s, use one single-core CPU. To
process traffic higher than 300 Mb/s, use two single-core CPUs or one dual-core
CPU.
Memory
2 GB
Hard disk drive
80 GB
Network adapter card
Type: Built-in Gigabit NIC

Number of cards: 2
Table 2 Server software requirements

Item
Requirements
Operating system
Red Hat Linux ES 3.0 (32-bit)

Red Hat Enterprise Linux Server 5.0 (32-bit)
NOTE: Multiple versions of probe installers are available. When you install an IMC probe
in Red Hat Linux ES 3.0 or any of its updates, select a proper version according to the number
of CPUs, whether the CPU is hyper-threading, and whether the CPU is multi-core.
2.
Install the Linux operating system on the newly created virtual machine.
Table 2 lists the Linux operating systems that support probe installation. The IMC probe supports
Red Hat Enterprise Linux Server 5.0 and 5.5, but cannot run if the Linux kernel is PAE enabled.
PAE is enabled by default when Red Hat Enterprise Linux 5.5 is installed on a host with at
least 4 GB of memory. To correct this, disable PAE before installing the IMC probe. For
instructions on how to disable PAE, see "FAQ" in the Red Hat Enterprise Linux Server 5.0
Installation Guide.
3.
Install the probe program on the virtual machine with Linux installed.
For instructions on how to install the probe, see Intelligent Management Center Probe Installation
Guide.
Setting the network configuration for a virtual machine network adapter

Setting the network configuration for a virtual machine network adapter involves the following
tasks:
Adding the virtual machine network adapter to the correct port group
Setting promiscuous mode for the port group on which the network adapter for collecting
traffic for the probe resides.
Figure 233 shows a network for deploying a probe on a virtual machine. You must add network
adapter eth0 of Probe to port group 1, and add network adapter eth1 of Probe to port group 2.
Setting the network configuration for a virtual machine network adapter
351
Port group 1 is a service network through which the web server and database server provide
external services. Port group 2 is a network for managing all virtual servers. To enable the probe
to collect all traffic in the network, configure port group 1 to operate in promiscuous mode.
To set the network configuration for a virtual machine network adapter:
1. Log in to the VMware vSphere Client, and then select the host from the inventory panel.
2. Click the Configuration tab and click Networking, as shown in Figure 233.
3. On the right side of the screen, find the vSwitch to edit and click Properties for that vSwitch.
The vSwitch Properties dialog box appears.
Figure 233 Opening the vSwitch Properties dialog box
4.
5.
Click the Ports tab, as shown in Figure 234.

Select the port group 1 and click Edit. The port group properties dialog box appears.
Figure 234 vSwitch Properties dialog box
6.
7.
Click the Security tab in port group properties dialog box, as shown in Figure 235.
Click the box to the right of the Promiscuous Mode and select Accept from the list.
Figure 235 Port group properties dialog box
8.
Click OK. All network adapters in port group 1 are configured to operate in promiscuous
mode.
9. Select the virtual machine with the probe installed from the inventory panel and click Edit
Settings link. The Virtual Machine Properties dialog box appears.
10. Click the Hardware tab, as shown in Figure 236.
11. Click Network adapter 1, select Port group 1 in the Network label list on the right for Network
adapter 1 (eth0). A port group is uniquely identified by the network label.
12. Click Network adapter 2, select Port group 2 in the Network label list on the right for Network
adapter 2 (eth1).
Setting the network configuration for a virtual machine network adapter 353
Figure 236 Setting a port group for a virtual machine network adapter
13. Click OK to add virtual machine network adapters to correct port groups.
15 Acronyms and terms

CIDRClassless Inter-Domain Routing.
CSVComma-separated values.
DHCPDynamic Host Configuration Protocol.
probeSoftware that creates network flow records from devices that do not support network flow
record generation.
probe serverApplication that acts as a network flow generator that transmits network flow data
to the NTA server.
DNSDomain Name Service.
DoSDenial of Service.
FTPFile Transfer Protocol.
ICMPInternet Control Message Protocol.
IMCIntelligent Management Center.
JREJava Runtime Environment.
MACMedia Access Control.
MPLSMulti-Protocol Label Switching.
NetBSDAn open-source UNIX-like operating system descended from Berkeley Software Distribution.
NICNetwork interface card.
NTANetwork Traffic Analyzer.
OSIOpen Systems Interconnection.
PAEPhysical Address Enabled.
PDFPortable Document Format.
Probeprobe server.
RFCRequest for Comments.
RPCRemote procedure call.
RTFRich Text Format.
sFlowSampled Flow.
SNMPSimple Network Management Protocol.
TCPTransmission Control Protocol.
TopNTop N items that have the specified indexes.
ToSType of Service.
UBAUser Behavior Auditor.
UDPUser Datagram Protocol.
VLANVirtual LAN.
VPNVirtual Private Network.
355
16 Support and other resources

Contacting HP
For worldwide technical support information, see the HP support website:
http://www.hp.com/support
Before contacting HP, collect the following information:
Technical support registration number (if applicable)
Product serial numbers
Product model names and number
Product identification number
Applicable error message
Add-on boards or hardware
Third-party hardware or software
Operating system type and revision level
Subscription service
HP recommends that you register your product at the Subscriber's Choice for Business website:
http://www.hp.com/go/wwalerts
After registering, you will receive email notification of product enhancements, new driver versions,
firmware updates, and other product resources.
Related information
Documents
To find related documents, browse to the Manuals page of the HP Business Support Center website:
http://www.hp.com/support/manuals
For related documentation, navigate to the Networking section, and select a networking
category.
For a complete list of acronyms and their definitions, see HP FlexNetwork Technology Acronyms.
Websites
HP.com: http://www.hp.com
HP Networking: http://www.hp.com/go/networking
HP download drivers and software: http://www.hp.com/support/downloads
Typographic conventions
This section describes the conventions used in this documentation set.
356 Support and other resources
Document conventions
Table 3 Document conventions
Convention
Description
Blue text:
Cross-reference links and email addresses
Table 3 (page 357)

Blue, underlined text:
Website addresses
http://www.hp.com
Keys that are pressed
Bold text
Text typed into a GUI element, such as a box

GUI elements that are clicked or selected, such as menu and list items, buttons,
tabs, and check boxes
Italic text
Text emphasis
Monospace text
File and directory names

System output
Code
Commands, their arguments, and argument values
Monospace, italic text
Code variables
Command variables
Monospace, bold text
Emphasized monospace text
GUI conventions
Table 4 GUI conventions
Convention
Description
Boldface
Window names, button names, field names, and menu items are in bold text.
For example, the New User window appears; click OK.
>
Multi-level menus are separated by angle brackets.

For example, File > Create > Folder.
Symbols
WARNING! An alert that calls attention to important information that if not understood or followed
can result in personal injury.
CAUTION: An alert that calls attention to important information that if not understood or followed
can result in data loss, data corruption, or damage to hardware or software.
IMPORTANT:
NOTE:
TIP:
An alert that calls attention to essential information.
An alert that contains additional or supplementary information.

An alert that provides helpful information.
Typographic conventions 357
17 Documentation feedback
HP is committed to providing documentation that meets your needs. To help us improve the
documentation, send any errors, suggestions, or comments to Documentation Feedback
(docsfeedback@hp.com). Include the document title and part number, version number, or the URL
when submitting your feedback.
358 Documentation feedback
Index
A
acronyms in this document, 355
adding
application, 41
application categories, 53
application traffic analysis task, 204
data source device, 27
host traffic analysis task, 231
inter-business traffic analysis task, 314
interface traffic analysis tasks, 86
probe traffic analysis task, 169
probes, 32
protocols, 49
VLAN traffic analysis tasks, 131
VPN traffic analysis task, 275
aggregation policy
configuring for traffic log auditing, 333
analyzing traffic between virtual machines
overview, 349
anomaly detection
DHCP Offer Packet, 71
DNS Rogue Hack, 71
Large ICMP Packet, 71
network behavior, 20
Ping of Death Attack, 71
anomaly detection list, 69
modifying, 70
viewing, 70
application
adding to NTA, 41
batch importing, 44
deleting, 45
managing, 39
modifying, 43
application categories
adding, 53
deleting, 56
managing, 51
modifying, 54
application category list
querying, 52
viewing, 51
application list
querying, 40
viewing, 39
application management, 19
application task reports
average rate (last 1 hour), 212
summary list (last 1 hour), 213
traffic trend for selected task (last 1 hour), 212
application tasks
summary reports, 212
application traffic analysis
configuration considerations, 202
overview, 201
task details, 203

application traffic analysis reports
details, 213
overview, 201
query traffic, 214
traffic, 213
viewing, 211
application traffic analysis task
adding, 204
deleting, 211
modifying, 207
viewing, 203
application traffic reports
destination host traffic trend, 222
destination reports, 219
query destination hosts, 220
query sessions, 223
query source hosts, 216
session reports, 223
session traffic list, 226
session traffic trend, 225
source host traffic trend, 218
source reports, 216
TopN destination hosts communicating with the source
host, 219
TopN source hosts communicating with destination host,
222
TopN traffic list for destination host, 221
TopN traffic list for session host, 225
TopN traffic list for source host, 218
TopN traffic report by destination host, 221
TopN traffic report for session host, 224
TopN traffic report for source host, 217
traffic details, 215
traffic trend average, 214
traffic trend peak rate, 215
auditing
exported data, 69
C
category management, 19
configuration
for traffic analysis and auditing, 24
NTA servers, 18
configuration considerations
application traffic analysis, 202
host session monitoring, 73
host traffic analysis, 229
interface traffic analysis, 83
probe traffic analysis, 167
VPN traffic analysis, 273
configuration issues
inter-business traffic analysis, 313
contacting HP, 356
359
data export
auditing , 69
config list, 67
configuration, 68
querying logs, 68
traffic , 67
data source device
adding, 27, 29
deleting, 31
data sources
managing, 24
database
current usage statistics, 66
data export, 67
space management, 66
usage trend statistics, 66
deleting
probes, 33
protocols, 51
details
NTA device list, 26
device list
details page, 26
viewing, 25
device management, 24
DHCP Offer Packet
anomaly detection, 71
DNS Rogue Hack
documentation, 356
providing feedback on, 358
typographic conventions, 357
help
obtaining, 356
host session monitoring
managing, 73
overview, 73, 74
reports, 73, 74
setting threshold alarms, 73
host session reports
details, 80
device, 78
individual NTA server, 77
session details, 80
session trend, 80
TopN sessions list, 78, 79
TopN sessions of all servers (last 1 hour), 75
TopN sessions of selected servers (last 1 hour), 76
host task reports
traffic trend and TopN application for selected task (last
1 hour), 240
host tasks
host traffic analysis
overview, 227
task details, 230
host traffic analysis reports
application, 245
application category list, 258
application category reports, 256
application category traffic trend, 259
application list, 247
application traffic trend, 248, 249
details, 242
individual application category reports, 259
individual applications, 248
individual protocol reports, 255
overview, 227
protocol list, 254
protocol reports, 253
protocol traffic trend, 255
query application categories, 257
query applications, 246
query destinations, 265
query protocols, 253
query sessions, 268
query sources, 261
query traffic, 242
session host traffic trend, 270
source reports, 261
TopN application category usage list source host list,
260
TopN application usage source host list, 249
TopN applications for session host, 271
TopN protocol usage list source host list, 256
F
filter condition list
adding a strategy, 61
deleting a strategy, 65
modifying a strategy, 63
viewing, 60
filter strategies
adding, 61
deleting, 65
modifying, 63
NTA traffic analysis, 59
overview, 19
flux log
NTA servers, 38
360 Index
TopN traffic details list for unknown TCP/UDP

applications by port, 252
TopN traffic list for unknown TCP/UDP applications by
destination host, 251
port, 250
source host, 251
TopN traffic report for destination host, 266
TopN traffic report for unknown TCP/UDP applications
by port, 250
TopN traffic trend for unknown TCP/UDP applications
by port, 252
traffic, 242
traffic details for destination host, 267
traffic details for source host, 264
traffic trend for destination host, 267
traffic trend for source host, 263
traffic trend peak, 244
viewing, 239
host traffic analysis task
adding, 231
deleting, 239
modifying, 235
viewing, 229
HP
technical support, 356
I
importing
protocols, 50
inter-business interest reports
interest, 328
query traffic , 328
TopN avg. rate, 329
inter-business reports, 325
query traffic , 325
TopN avg. rate, 325
Inter-business traffic analysis
configuration issues, 313
inter-business traffic analysis
task details, 314
inter-business traffic analysis reports
overview, 312
viewing, 320
inter-business traffic analysis task
adding, 314
deleting, 319
modifying, 317
viewing, 313
inter-business traffic analysis task reports
details, 321
flux distribution, 324
query traffic, 322
single business, 321
TopN avg. rate, 322
inter-business traffic monitoring
overview, 312
interface tasks
summary reports, 94
interface traffic analysis
overview, 82
task details, 85
interface traffic analysis reports
application, 103
application category traffic trend, 115, 116
details, 97
flux distribute in interface, 102
interface flux trend, 102
overview, 82, 94
protocol list, 111
query sessions, 125
query sources, 118
query traffic, 98
source reports, 117
application by port, 109
TopN traffic list for ToS/MPLS Exp, 101
361
TopN traffic list for unknown TCP/UDP application by

port, 108
TopN traffic report for unknown TCP/UDP application
by port, 108
TopN traffic trend for unknown TCP/UDP application
by port, 109
TopN traffic trend report for source host, 120
TopN VLAN traffic list, 101
traffic, 97
traffic details list, 103
1 hour), 95
traffic trend peak rate, 100
traffic trend report for destination host, 123
viewing, 94
interface traffic analysis tasks
adding, 86
deleting, 92
modifying, 89
overview, 16
network flow record processing
overview, 17
Network Traffic Analyzer
overview, 14
NTA applications, 38
NTA data source
overview, 14
NTA parameter settings, 20
NTA reports
overview, 342
NTA servers
configuration, 18
details, 35
flux log, 38
managing, 34
modifying configuration, 36
redeploying, 37
viewing, 34
NTA traffic analysis filters
filter conditions, 60
viewing, 60
NTA traffic analysis parameters
advanced settings, 56
basic settings, 56
configuring, 56
filtering, 59
Large ICMP Packet

M
management
application, 19
categories, 19
managing
data sources, 24
devices, 24
probes, 31
modifying
anomaly detection list templates, 70
data export configuration, 68
NTA server configuration, 36
probes, 33
protocols, 49
N
network behavior
network flow record collection
362 Index
overview
application traffic analysis reports, 201
host session monitor reports, 74
host session monitoring reports, 73
host traffic analysis reports, 227
interface traffic analysis reports, 82, 94
network flow record collection, 16
network flow record processing, 17
NTA data source, 14
NTA reports, 342
probe traffic analysis reports, 166
regular expressions, 45
VLAN traffic analysis, 128
VLAN traffic analysis reports, 128, 134
VPN traffic analysis reports, 272
P
probe list
details, 32
viewing, 31
probe management, 31
probe task reports
1 hour), 172
probe tasks

probe traffic analysis
task details, 168
probe traffic analysis reports
application, 176
details, 173
overview, 166
protocol list, 184
query sessions, 197
query sources, 190
query traffic, 174
source reports, 190
TopN application category usage list source host list,
190
TopN application usage source host list, 179
TopN protocol usage list source host list, 186
TopN traffic details for unknown TCP/UDP applications
by port, 182
destination host, 181
port, 181
source host, 181
by port, 180
TopN traffic trends for unknown TCP/UDP applications
by port, 182
traffic, 174
traffic trend report for source host, 193

viewing, 171
probe traffic analysis task
adding, 169
deleting, 171
modifying, 170
viewing, 167
probe traffic monitoring
overview, 166
probes
adding, 32
deleting, 33
modifying, 33
protocol list
querying, 48
viewing, 47
protocols
adding, 49
deleting, 51
importing, 50
managing, 47
modifying, 49
viewing, 47
Q
querying
data export logs, 68
protocol list, 48
R
redeploying
NTA server configuration, 37
registering
product, 356
subscription service, 356
regular expressions
overview, 45
reports
host sessions, 75
S
setting threshold alarms
space management
database, 66
statistics
database current usage, 66
database usage trend, 66
summary reports
application tasks, 212
host tasks, 240
probe tasks, 172
363
VPN tasks, 279
T
task details
inter-business traffic analysis, 314
task management
traffic analysis, 18
TCP Fin Scan templates
modifying, 70
technical support, 356
HP, 356
terms used in document, 355
traffic analysis, 18
between virtual machines, 22
traffic analysis and auditing
configuring, 24
traffic analysis tasks
viewing, 84
traffic log audit destination host reports
destination host details, 339
destination host list, 338
traffic log audit reports
destination host reports, 337
source host reports, 335
viewing, 335
traffic log audit session reports
session list, 340
traffic log audit source host reports
source host details, 336
source host list, 335
traffic log auditing
adding data sources to NTA, 331
adding device, 331
adding interface traffic analysis task, 333
adding probe, 331
adding probe traffic analysis task, 333
adding VPN, 332
adding VPN traffic analysis task, 334
configuring, 331
configuring aggregation policy, 333
creating tasks, 333
overview, 331
performing, 334
selecting device or probe, 332
typographic conventions
documentation, 356
symbols, 357
text GUI conventions, 357
V
viewing
anomaly detection list, 70
application cagegory list, 51
application traffic analysis reports, 211
application traffic analysis task details, 203
application traffic analysis tasks, 203
data export config list, 67
364 Index
host traffic analysis reports, 239

host traffic analysis task details, 230
host traffic analysis tasks, 229
inter-business traffic analysis reports, 320
interface traffic analysis reports, 94
interface traffic analysis task details, 85
NTA device list, 25
NTA server details, 35
NTA server list, 34
NTA traffic analysis filters, 60
probe list, 31
probe list details, 32
probe traffic analysis reports, 171
probe traffic analysis task details, 168
probe traffic analysis tasks, 167
traffic analysis tasks, 84
VLAN traffic analysis reports, 134
VLAN traffic analysis task details, 131
VPN traffic analysis reports, 278
VPN traffic analysis task details, 274
VPN traffic analysis tasks, 274
virtual machines
analyzing traffic between, 22, 349
deploying a probe, 350
server hardware requirements, 351
server software requirements, 351
setting the network configuration, 351
VLAN traffic analysis, 128
VLAN traffic analysis reports
application, 140
application category traffic trend for an individual
application category, 155
application category usage list for an individual
application category, 156
application traffic trend, 143
application traffic trend for an individual application,
143
details, 137
flux distribute in VLAN, 139
overview, 128, 134
protocol list, 151
protocol traffic trend for an individual protocol, 152
query sessions, 163
query sources, 157

query traffic, 137
source reports, 156
TopN application usage list for individual application,
144
TopN protocol usage list for an individual protocol, 152
application by destination, 149
application by source, 148
destination, 149
port, 145
source, 147
by destination, 148
by port, 144
by source, 146
traffic, 137
traffic trend, 138
1 hour), 135
traffic trend for unknown TCP/UDP application by
source, 147
traffic trend report for unknown TCP/UDP applications
by port, 145
viewing, 134
VLAN flux trend, 139
VLAN traffic analysis task details
viewing, 131
VLAN traffic analysis tasks
adding, 131
deleting, 134
modifying, 133
viewing, 130
VPN summary reports
interface flux distribution in VPNs, 280
summary list, 281

1 hour), 279
VPN flux distribution in interfaces, 280
VPN tasks
VPN traffic analysis
task details, 274
VPN traffic analysis reports
application, 286
application category traffic trend, 298, 299
application traffic trend, 289
application trend, 288
details, 281
overview, 272
protocol list, 294
query sessions, 308
query sources, 301
query traffic, 282
session host traffic trend report, 310
source reports, 300
TopN application category usage list, 299
TopN application usage list, 290
TopN protocol usage list, 296
TopN traffic list for ToS/MPLS exp, 285
TopN traffic list for unknown TCP/UDP by port, 291
by port, 291
traffic, 282
Traffic details, 307
365
traffic trend report for unknown TCP/UDP applications

by port, 292
viewing, 278
VPN traffic analysis task
adding, 275
deleting, 278
modifying, 276
viewing, 274
VPN traffic monitoring
overview, 272
W
websites, 356
366 Index

HP Intelligent Management Center Network Traffic Analyzer Administrator Guide

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

HP Intelligent Management Center Network Traffic Analyzer Administrator Guide

Enviado por

Direitos autorais:

Formatos disponíveis

v7.

0 HP Intelligent Management Center

HP Part Number: 5998-4733

Copyright 2013 Hewlett-Packard Development Company, L.P.

2 Configuring NTA for traffic analysis and auditing.........................................24

Adding an application category..........................................................................................53

3 Host session monitoring.............................................................................73

Viewing interface traffic analysis task details..........................................................................85

Application traffic trend...........................................................................................178

Summary reports for all application tasks............................................................................212

Application traffic trend...........................................................................................249

11 Performing traffic log audits in NTA.........................................................331

14 Analyzing traffic between virtual machines...............................................349

15 Acronyms and terms..............................................................................355

1 Introduction to Network Traffic Analyzer

NTA data source overview

Source and destination IP address

Source and destination port

Layer 4 protocol (TCP, UDP, or ICMP)

Input and output interfaces indices (ifIndex)

Timestamps for flow start and finish

Introduction to Network Traffic Analyzer

TCP flag summary information

Layer 3 routing information

Layer 3 protocol type

ToS byte interface

Input logical interface

NTA data source overview

NTA and network flow record collection overview

Introduction to Network Traffic Analyzer

NTA and network flow record processing overview

NTA and network flow record processing overview

NTA server configuration

Traffic analysis task management

Inter-business traffic analysis

Introduction to Network Traffic Analyzer

Application, protocol, and application category management

NTA parameter settings

ToS/MPLS Exp traffic analysis

unknown application traffic analysis

host session monitoring

VPN traffic analysis

peak traffic analysis

conversation aggregation TopN

Network behavior anomaly detection

Introduction to Network Traffic Analyzer

The following are the anomaly detection templates:

Land AttackDetects an attack on a host operating system. This attack is accomplished by

ICMP Parameter ProblemDetects ICMP packets that contain invalid parameters.

Analyzing the network traffic between virtual machines

Introduction to Network Traffic Analyzer

Analyzing the network traffic between virtual machines

2 Configuring NTA for traffic analysis and auditing

Managing NTA data sources

Configuring NTA for traffic analysis and auditing

Viewing the NTA device list

Device Resource InfoContains a link

to the Modify page for the associated device.

Managing NTA data sources

Viewing the NTA device details page

NetStream Statistics IdentifierIndicates whether or not NetStream Statistics Identifier is

NetStream New FeatureIndicates whether or not NetStream flow sampling feature is

NetStream Sampling RatioIndicates NetStream sampling ratio configured by the device.

Interface List with sFlow EnabledList of interfaces with sFlow enabled.